The Original Security Flaw
Microsoft is changing how its Edge browser handles saved passwords, addressing a security concern that had drawn criticism from security researchers. Previously, Edge would decrypt a user’s entire saved password database upon startup and keep all credentials in the browser’s process memory as plaintext for the entire browsing session. This meant that even passwords never used during a session remained exposed in memory, making them potentially accessible to attackers with local access to the system.
A security researcher noted this behavior made Edge unique among Chromium based browsers. Chrome, by contrast, uses a design that makes it significantly more difficult for attackers to extract saved passwords by simply reading process memory. Microsoft had initially defended this behavior as intentional, but has now reversed its position.
The New Defense in Depth Approach
Microsoft Edge Security Lead Gareth Evans announced the company is taking a broader view of the issue and has committed to changing Edge’s password handling as a defense in depth improvement. The new behavior ensures saved passwords are no longer loaded into memory as plaintext on startup, reducing the exposure window for potential credential theft.
The updated password handling is already available in the Canary preview version of Edge, with plans to roll it out across all channels. This change significantly narrows the attack surface by only loading passwords into memory when they are actually needed for autofill, rather than keeping the entire credential store resident in memory for the whole session.
Source: Malwarebytes
