A newly released proof-of-concept (PoC) tool shows how Microsoft Edge handles saved credentials, demonstrating that passwords may be exposed in cleartext within browser process memory.
The researcher behind the tool, Tom Jøran Sønstebyseter Rønning, claims the behavior is longstanding and specific to Edge’s integration with Microsoft’s Password Manager.
The issue was publicly discussed on X, where Rønning shared both technical observations and a working PoC hosted on GitHub. According to the researcher, the tool, named EdgeSavedPasswordsDumper, was developed to demonstrate how credentials saved through Edge’s autofill and password management features are loaded into the browser’s parent process in plaintext. He stated that he tested multiple Chromium-based browsers, including Google Chrome and Brave, and did not observe the same behavior.
Rønning tested Edge version 147.0.3912.98 and observed that all stored credentials are loaded into memory, regardless of whether they are actively needed. He noted that while child processes spawned by Edge do not contain the credentials, the parent process consistently holds them, making it a target for extraction. The PoC demonstrates that an attacker (or malware) with sufficient privileges could dump the memory of the correct Edge process and retrieve saved usernames and passwords in cleartext.
The researcher also highlighted that this technique could be executed using standard tools such as Task Manager to create memory dumps, provided the attacker identifies the correct process. Edge, like other Chromium-based browsers, spawns multiple processes, but Rønning explained that enabling the “Command Line” column in Task Manager helps distinguish the parent process containing the sensitive data.
Microsoft Edge is a Chromium-based web browser developed by Microsoft and widely deployed across Windows environments. Its integration with Microsoft Password Manager enables users to store and autofill credentials across websites and services, often synchronized with Microsoft accounts. This tight integration, however, appears to introduce differences in how credential data is handled compared to other Chromium implementations.
The PoC tool itself is written in C# targeting the .NET Framework 3.5, which the author says was chosen to minimize potential interference from modern security controls such as the Antimalware Scan Interface (AMSI).
Rønning stated that Microsoft has previously categorized this behavior as “by design,” suggesting that a fix may not be forthcoming. This has sparked debate among other researchers, some of whom noted that similar mechanisms have existed in Chromium in the past, while others questioned whether Edge’s implementation differs significantly because of its proprietary password manager layer.
Update 5/6 – A Microsoft spokesperson responded to our request for a comment with the following statement:
“Safety and security are foundational to Microsoft Edge. Access to browser data as described in the reported scenario would require the device to already be compromised. Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats. Browsers access password data in memory to help users sign in quickly and securely – this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats.” – a Microsoft spokesperson
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
