{"id":8033,"date":"2026-05-05T19:57:24","date_gmt":"2026-05-05T19:57:24","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8033"},"modified":"2026-05-05T19:57:24","modified_gmt":"2026-05-05T19:57:24","slug":"edge-browser-leaves-passwords-exposed-in-plain-text-says-researcher","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8033","title":{"rendered":"Edge browser leaves passwords exposed in plain text, says researcher"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A Norwegian researcher has identified an issue with Microsoft Edge\u2019s Password Manager that could be a serious concern for businesses.<\/p>\n

Tom J\u00f8ran S\u00f8nstebyseter R\u00f8nning<\/a> found that passwords are being saved within the browser in plain text, with the effect that any PC, particularly a shared machine, within an organization is a potential risk.<\/p>\n

In a post on X<\/a>, R\u00f8nning\u00a0explained that when users save passwords in Edge, the browser decrypts every credential at startup and keeps it resident in process memory, regardless of whether the user visits the site.<\/p>\n

R\u00f8nning\u2019s finding was replicated by German IT publication Heise.de<\/a>, which created and saved a password and found that, even after the browser had been closed and re-opened, the password could be found in plain text.<\/p>\n

Microsoft has been nonchalant about the discovery. It said, \u201cDesign choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats. Browsers access password data in memory to help users sign in quickly and securely \u2014 this is an expected feature of the application.\u201d<\/p>\n

R\u00f8nning published a simple tool on GitHub<\/a> that enables people to see for themselves that passwords are stored in plain text in memory.<\/p>\n

Microsoft dismissed the significance of the passwords\u2019 visibility, saying, \u201cAccess to browser data as described in the reported scenario would require the device to already be compromised.\u201d<\/p>\n

David Shipley<\/a>, CEO of Beauceron Security, is not impressed with Microsoft\u2019s response. \u201cNo, it\u2019s not a feature. That\u2019s an easy way to cop out of responsibility. It\u2019s almost as bad as when firms say \u2018working as designed.\u2019 The point here, as with similar shortcomings, is convenience, speed, and avoiding investing more effort into something that they feel isn\u2019t worth mitigating,\u201d he said.<\/p>\n

The bug is an open invitation to cyber criminals, said Shipley. \u201cThe old argument is that if malware gains persistence then it doesn\u2019t make a difference, you\u2019re in trouble anyway. It\u2019s waving the white flag at cybercriminals and turning that white flag into a blank check for info stealers.\u201d<\/p>\n

Other browsers don\u2019t suffer from the issue. For example, Google Chrome, in line with security industry recommendations, offers a system called App Bound Encryption that encrypts browser data and ensures that it is not stored in process memory in plain text.<\/p>\n

It is not a foolproof system; it has been broken in the past,<\/a> but by determined hackers. The Microsoft bug, on the other hand, requires little skill to exploit.<\/p>\n

Shipley said that if Google can do a better job of securing its browser, there is no reason why Microsoft couldn\u2019t do so with Edge. \u201cIt\u2019s clearly not a technical hurdle. It\u2019s a motivational one, which shouldn\u2019t surprise anyone because Microsoft is giving away the browser. You don\u2019t pay for it, so why should they care about locking it down more than the bare minimum?\u201c<\/p>\n

Given Microsoft\u2019s attitude, users may well want to look for another password manager, something that would be more secure.<\/p>\n

This article has been updated with a response from Microsoft.<\/em> It originally appeared on Computerworld<\/a>.<\/em><\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A Norwegian researcher has identified an issue with Microsoft Edge\u2019s Password Manager that could be a serious concern for businesses. Tom J\u00f8ran S\u00f8nstebyseter R\u00f8nning found that passwords are being saved within the browser in plain text, with the effect that any PC, particularly a shared machine, within an organization is a potential risk. In a […]<\/p>\n","protected":false},"author":0,"featured_media":8024,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8033","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8033"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8033"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8033\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8024"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8033"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8033"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8033"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}