RSS

Microsoft backpedals: Edge to stop loading passwords into memory

Cider99862 pts0 comments

Microsoft backpedals: Edge to stop loading passwords into memory

Home<br>News<br>Microsoft<br>Microsoft backpedals: Edge to stop loading passwords into memory

Microsoft backpedals: Edge to stop loading passwords into memory

By Sergiu Gatlan

May 15, 2026

10:49 AM

Microsoft is updating the Edge web browser to ensure it no longer loads saved passwords into process memory in clear text at startup after previously stating it was "by design."

This behavior was disclosed on May 4 by security researcher Tom J&oslash;ran S&oslash;nstebyseter R&oslash;nning, who demonstrated that all credentials stored in the Edge built-in password manager were decrypted on launch and kept in memory even when not in use.

R&oslash;nning also released a proof-of-concept (PoC) tool that would allow attackers with Administrator privileges to dump passwords from other users' Edge processes (without admin privileges, the PoC only allows accessing Edge processes launched by the same user).

He also said he reported the issue to Microsoft and was told the behavior was "by design" before he publicly disclosed it.

"Edge is the only Chromium‑based browser I've tested that behaves this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory," the researcher said.

While it initially refused to address the issue, telling BleepingComputer at the time that "this is an expected feature of the application," Microsoft announced on Wednesday that future versions of Edge will no longer load saved passwords into memory on startup, even though the reported scenario falls within the expected existing threat model (which excludes attacks where an adversary already has administrative control of a device).

"This defense-in-depth change will come to every supported version of Edge (Stable, Beta, Dev, Canary, and the Extended Stable channel our enterprise customers run), and we're prioritizing the rollout," said Microsoft Edge Security Lead Gareth Evans.

"With our commitment to the Secure Future Initiative and customer feedback, we are taking a broader view. That means looking not only at whether something meets the bar for a security issue, but also at where we can reduce exposure through defense-in-depth improvements. In this case, reducing the exposure of passwords in memory is a practical step in that direction."

The fix is already live in the Edge Canary channel and will be included in the next update for all supported Edge releases (build 148 and newer).

Last year, Microsoft also introduced a new Edge security feature to protect users against malicious extensions sideloaded into the web browser, and restricted access to Edge's Internet Explorer mode after hackers began leveraging zero-day exploits in the Chakra JavaScript engine to access target devices.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.<br>This guide covers the 6 surfaces you actually need to validate.

Download Now

Related Articles:

Microsoft: Some Teams users can&rsquo;t join meetings after Edge update<br>Firefox now has a free built-in VPN with 50GB monthly data limit<br>Windows 11 and Microsoft Edge hacked at Pwn2Own Berlin 2026<br>Microsoft warns of Exchange zero-day flaw exploited in attacks<br>Microsoft to automatically roll back faulty Windows drivers

Browser

Microsoft

Microsoft Edge

Passwords

Web Browser

Sergiu Gatlan

Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article

Next Article

Comments

IhateMicroSoft - 4 hours ago

I guess that is one way to avoid paying out a bug bounty. "By design!", now lets fix it and do the right thing, without paying out.

Mr.Tom - 4 hours ago

""this is an expected feature of the application"

They probably call all those 120 flaws they fixed Tuesday "features" too.

NoneRain - 3 hours ago

classic Microslop

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

Windows BitLocker zero-day gives access to protected drives, PoC released

Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days

Dell confirms its SupportAssist software causes Windows BSOD crashes

Sponsor Posts

https://www.nmftacyber.com/

12 steps to defend against AI-powered exploits before the Glasswing report drops

Overdue a password health-check? Audit your Active Directory for free

Are stolen sessions bypassing your security? Find out for free.

Upcoming Webinar

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us...

edge microsoft passwords memory browser security

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.