A security researcher disclosed on April 29, 2026, that Microsoft Edge decrypts every stored password into process memory the moment the browser launches - and keeps them there as cleartext for the entire session, regardless of whether the user ever visits the sites those credentials belong to. The finding, which has drawn significant attention from security professionals, puts Edge's credential handling in direct contrast with Google Chrome's approach and raises practical concerns for organizations running shared Windows environments.

The disclosure

The finding was uncovered by researcher @L1v1ng0ffTh3L4N, who systematically tested every major Chromium-based browser for credential memory handling behavior. According to Cyber Security News, which reported on the disclosure, Edge was the only browser that exhibited this behavior - loading the entire password vault into plaintext process memory at startup and retaining it for the duration of the session.

The disclosure took place April 29 at BigBiteOfTech, presented by PaloAltoNtwks Norway alongside a small educational verification tool. That tool, released publicly, allows any user to confirm whether their Edge browser is holding cleartext credentials in process memory. On May 4, 2026, researcher Tom Joran Sonstebyseter Ronning, identified as @L1v1ng0ffTh3L4N on X, posted a video demonstration that accumulated 5,900 replies and broad engagement within hours.

When the researcher responsibly disclosed the finding to Microsoft, the company's official response was that the behavior is "by design."

How Edge handles passwords differently

The contrast with Google Chrome is technically significant. According to Cyber Security News, Chrome implements on-demand decryption: credentials are decrypted only at the moment they are needed, specifically during autofill or when a user explicitly views a saved password. Chrome further hardens its model with App-Bound Encryption, which cryptographically binds decryption keys to an authenticated Chrome process. This prevents other processes from reusing those keys to access credentials.

Edge offers neither of these protections. From the moment the browser opens, every saved credential across every site in the user's vault sits in plaintext in the browser's process memory, creating a persistent, wide-surface extraction target for any attacker with the ability to read that process memory.

What makes the situation particularly contradictory is Edge's own user interface behavior. According to the disclosure, the browser still prompts users for re-authentication before revealing passwords in the Password Manager interface, yet the same browser process already holds all those credentials in plaintext, completely accessible to anyone querying process memory. The re-authentication gate therefore provides only the appearance of access control. It offers no protection against memory-based credential extraction.

App-Bound Encryption: what it does and does not cover

In the LinkedIn discussion that followed the disclosure, Angus Holliday, a Senior Security Operations Specialist, clarified the scope of Microsoft's own App-Bound Encryption policy: "App-bound encryption protects at rest / key usage. Does NOT protect memory." His comment underlines the gap: even where App-Bound Encryption is enabled in Edge, it secures the encryption keys for data stored on disk, not the plaintext credentials that are loaded into memory at launch.

Microsoft's policy documentation for ApplicationBoundEncryptionEnabled, last updated January 27, 2026, describes this feature as binding "the encryption keys used for local data storage to Microsoft Edge whenever possible." The policy page notes that disabling it "has a detrimental effect on Microsoft Edge's security because unknown and potentially hostile apps can retrieve the encryption keys used to secure data." The policy is supported on Windows for Edge version 127 and above, and is not available on macOS, Android, or iOS.

The critical distinction, then, is between data at rest and data in memory. App-Bound Encryption addresses the former. The disclosure concerns the latter - and Microsoft's own documentation acknowledges this gap. According to Microsoft's public guidance on Edge password manager security, "physically local attacks and malware are outside the threat model," and "under these conditions, encrypted data would be vulnerable." The same documentation states that if a computer is infected with malware, an attacker can get decrypted access to the browser's storage areas.

Memory scraping as an attack vector

The severity of this finding escalates significantly in shared or multi-user environments. According to Cyber Security News, terminal servers and Remote Desktop Services (RDS) installations are particularly exposed. An attacker with administrative privileges on such a system can read the memory of every logged-on user process simultaneously. A published proof-of-concept video accompanying the disclosure demonstrated a compromised administrator account successfully extracting stored credentials from two other logged-on users - including users with disconnected but still active sessions - by reading their Edge browser process memory.

This transforms a single admin-level compromise into a full credential harvest across an entire multi-user environment. Cyber Security News notes the behavior maps directly to MITRE ATT&CK T1555.003, the technique classification for Credentials from Web Browsers.

In the LinkedIn discussion, Anthony Godin, a Senior Systems Engineer at iQuest, observed: "By Design is missing the Secure part at the front, the part that is meant to lead everything first but is too often an afterthought and by then hits the 'too hard' basket." Another commenter, Jamieson O'Reilly, founder at Dvuln.Hacker, noted that this type of vulnerability had been discussed in the security community for over a decade, adding: "Google does a good job at protecting this type of data thanks to the pressures they've had to evolve against with infostealer malware."

Microsoft's stated position

Microsoft's existing public documentation on Edge password manager security acknowledges that in-memory credentials can be accessed under local attack conditions and categorizes such scenarios as outside the browser's threat model. According to that documentation, "Internet browsers (including Microsoft Edge) aren't equipped with defenses to protect against threats where the entire device is compromised due to malware running as the user on the computer."

The documentation further acknowledges a structural reality that applies to all browser password managers: "When browser passwords are encrypted on disk, the encryption key is available to any process on your device, which includes any locally running malware. Even if passwords are encrypted in a 'vault' by a master key, they'll be decrypted when loaded in the browser's memory space and can be harvested after you unlock the vault."

What distinguishes the Edge finding is not that credentials exist in memory at some point - that is unavoidable for any browser that supports autofill - but that Edge loads the entire vault into plaintext at launch and holds it there continuously. Chrome limits the exposure window to the moment credentials are actually used.

Microsoft's documentation also confirms how the encryption model works at the storage layer. According to the Edge password manager security guidance, passwords are encrypted on disk using AES, with the encryption key saved in an operating system storage area. On Windows, that storage area is DPAPI (Data Protection API). On Mac, it is the Keychain. The document describes this technique as local data encryption. All these storage areas encrypt the AES key using a key accessible to some or all processes running as the user - a design choice the document explicitly notes "is often featured in blogs as a possible exploit or vulnerability, which is an incorrect understanding of the browser threat model."

The enterprise implications

For organizations that have standardized on Microsoft Edge - a common configuration in Windows-centric enterprise environments - the disclosure raises practical questions about terminal server deployments, VDI environments, and any shared-access systems. Mike Pedrick, a CISO and GRC Leader who commented on the LinkedIn discussion, received a reply noting: "At my last job Edge was the only browser allowed, everything else was blocked - even Safari on the Macs. They said it was for standardization and security, but the truth was the CIO just preferred it."

That scenario - Edge as the only permitted browser - is not uncommon. Security teams in such environments now face a configuration risk that Microsoft has explicitly framed as intentional behavior rather than a vulnerability requiring a patch.

Cyber Security News recommended that security teams managing Windows environments with Edge deployed, particularly those operating terminal servers, VDI environments, or shared-access systems, should treat this as a high-priority configuration risk and consider migrating to browsers with on-demand decryption and App-Bound Encryption until Microsoft addresses the design decision.

The browser market context matters here. According to Cloudflare data covered by PPC Land, Edge held 7.018% of the global browser market in Q1 2025, placing it third behind Chrome at 63.409% and Safari at 17.496%. In enterprise environments, however, Edge's share is considerably higher - particularly in organizations running Microsoft 365 ecosystems where Edge is the default browser on managed Windows devices.

The marketing and advertising industry is particularly affected. As PPC Land reported in April 2026, browser-level data handling has become a major focal point, with research showing over 80 Chrome extensions legally selling browsing data belonging to 6.5 million users. Ad tech companies, agencies, and marketing platforms routinely access SaaS credentials, client campaign systems, and analytics dashboards through browsers on corporate devices. A browser that holds every saved password in plaintext memory from the moment it launches represents a meaningful attack surface in that context.

The timing of the disclosure also follows a period of heightened attention to browser privacy architecture. PPC Land previously covered Chrome's transition to Manifest V3, which reshaped the extension ecosystem and sparked significant migration discussions. More broadly, browser security decisions now sit at the center of enterprise security posture in ways that were less visible several years ago.

What the policy documentation says about recommendations

Microsoft's own password manager security documentation takes a nuanced position on whether organizations should use the built-in Edge password manager. The document lists a set of questions enterprise security teams should consider, including the kind of attackers they are worried about, whether users select strong and unique passwords, whether accounts are protected with two-factor authentication, and how devices are protected from malware.

The Microsoft security team removed its prior recommendation to disable the built-in password manager in Edge version 114, moving that setting to "Not Configured" based on the availability of new features that altered the security tradeoffs. According to the documentation, "For most threat models, using the Microsoft Edge password manager is the recommended option." That guidance predates the April 2026 cleartext memory disclosure, which specifically concerns not whether to use the password manager but how Edge handles the credentials once they are stored.

The documentation also addresses the comparison with third-party password managers. It acknowledges that some third-party products require a Master Password not stored locally to decrypt credentials - offering partial mitigation against memory scraping. Edge does not currently offer this capability, though the documentation notes that Microsoft offers an optional authentication-before-autofill feature that "provides users an additional layer of privacy and prevents their stored passwords from being used by anyone but them."

No updated guidance from Microsoft had been published in response to the April 29 disclosure as of the time of writing.

Timeline

  • July 18, 2024: Microsoft publishes its Edge password manager security documentation, last updated on that date, acknowledging that credentials in memory can be accessed under local attack conditions and classifying such scenarios as outside the browser threat model.
  • January 27, 2026: Microsoft updates the ApplicationBoundEncryptionEnabled policy documentation, covering Edge version 127 and above on Windows, clarifying that the policy binds encryption keys for local data storage but does not address in-memory credential storage.
  • April 29, 2026: Researcher @L1v1ng0ffTh3L4N discloses the finding at BigBiteOfTech, presented by PaloAltoNtwks Norway. The disclosure includes a proof-of-concept video and a small educational verification tool. Microsoft's official response to the responsible disclosure: "by design."
  • May 4, 2026: @L1v1ng0ffTh3L4N posts the proof-of-concept video on X, attracting 5,900 replies. Garett Moreau posts a summary on LinkedIn describing the finding to a professional audience, generating 31 comments and 42 reposts. Cyber Security News publishes a detailed writeup of the disclosure.
  • May 4, 2026PPC Land covers LayerX research showing over 80 Chrome extensions legally selling browsing data belonging to 6.5 million users, highlighting the broader context of browser-level data exposure facing enterprise marketing and ad tech teams.

Related PPC Land coverage

Summary

Who: Researcher @L1v1ng0ffTh3L4N, operating under PaloAltoNtwks Norway, made the disclosure. Microsoft is the company whose browser behavior is described. Security professionals commenting on LinkedIn include Angus Holliday, Anthony Godin, Jamieson O'Reilly, and Mike Pedrick.

What: Microsoft Edge decrypts every stored password into cleartext process memory at the moment the browser launches and retains those credentials in plaintext for the entire browser session. Google Chrome, by contrast, uses on-demand decryption and App-Bound Encryption to limit credential exposure. Microsoft has described the behavior as intentional.

When: The finding was disclosed on April 29, 2026, at BigBiteOfTech. The proof-of-concept video and broader professional discussion emerged on May 4, 2026. Microsoft's official response - "by design" - was given during the responsible disclosure process prior to April 29.

Where: The vulnerability affects Microsoft Edge running on Windows. Terminal servers, Remote Desktop Services environments, VDI deployments, and any shared-access Windows systems are identified as the highest-risk configurations. The disclosure was made at the BigBiteOfTech event, with the educational verification tool released publicly.

Why: The finding matters because it removes what users might assume is a meaningful security layer - the re-authentication prompt in Edge's Password Manager UI - from the actual protection model. Every saved credential is already accessible in plaintext process memory before any UI interaction occurs. In multi-user environments, a single admin-level compromise becomes a mechanism for harvesting credentials from every active user session running Edge. Microsoft has not published updated guidance in response to the disclosure.

Share this article
The link has been copied!