Microsoft Edge Process Memory Security Vulnerability Unprotected Password Storage and Official Response to Exposure Risks
The Microsoft Edge process stores unprotected user passwords in its memory for unauthorized access. The browser shows a serious security weakness because it keeps all saved passwords in its memory without using encryption. The browser starts its decryption process which continues to operate throughout the user session even without any login attempts from the user. A security researcher from Norway known as @L1v1ng0ffTh3L4N identified that this platform is the only Chromium based browser that handles sensitive data in this manner. The Microsoft Edge process memory contains unencrypted information which enables an attacker to obtain complete credential data from active systems.
Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them. pic.twitter.com/ci0ZLEYFLB
— Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) May 4, 2026
The safety requirements which Microsoft Edge follows do not match what leading web browsers implement as competitive standards. Google Chrome and other similar browsers only decrypt sensitive information during a specific auto fill request or a manual view command. In those cases the data is only exposed for a brief moment. Microsoft Edge however maintains the entire database in a readable format within the RAM until the application is closed. This architectural choice removes the primary barrier that usually prevents malicious software from scraping passwords out of system memory.
The user interface of the browser creates a powerful difference when compared to what the actual system shows as its current data status. The settings menu still requires secondary authentication before it will display clear text on the screen for a user. The password protection system provides false security because users can access all passwords through process memory without needing any further password verification. Basic process access enables an attacker to access visual security prompts by reading system memory directly.
Microsoft has responded to these security findings by stating that the behavior is intentional. The company maintains that they continue to operate according to their threat model which includes no security measures against attackers who gain physical device access. The development team currently works to remove all unnecessary features from the browser. The 2026 development roadmap does not include local memory scraping protection as the company puts greater emphasis on performance than on local file encryption.
