When you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory. This happens even if you never visit a site that uses those credentials.
At the same time, Edge requires you to re‑authenticate before showing those same passwords in the Password Manager UI — yet the browser process already has them all in plaintext.
Edge is the only Chromium‑based browser I’ve tested that behaves this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory.
It decrypts credentials only when needed, instead of keeping all passwords in memory at all times. App‑Bound Encryption (ABE) adds another layer by binding decryption to an authenticated Chrome process, preventing other processes from reusing Chrome’s encryption keys.
Because of these controls, plaintext passwords appear only briefly during autofill or when the user views them, making broad memory scraping far less effective. The risk of keeping the passwords in cleartext in memory becomes evident in shared environments.
If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes. In the video the attacker has compromised a user account with administrative rights and is able to view stored credentials for two other logged on
(or even disconnected) users with Edge running. I reported this to Microsoft, and the official response was that the behavior is "by design". They have been informed that I would be sharing this as a responsible disclosure so users and organizations can make informed decisions
about how they manage credentials. Last wednesday (April 29th) I disclosed this on BigBiteOfTech by Norway
Simple, educational proof of concept, to show that the passwords are stored in cleartext in memory.
If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security.
~Satya Nadella, Microsoft Chairman and CEO, May 3, 2024
https://blogs.microsoft.com/blog/2024/05/03/prioritizing-security-above-all-else/
So much for that I guess.
Thoughts on Darktrace or MS Sentinel?
14h 41m ago by reddthat.com/u/Lemmert in cybersecurity@infosec.pubMentorship Monday - Discussions for career and learning!
1d 8m ago by infosec.pub/u/shellsharks in cybersecurity@infosec.pub
Vulnerability Report - April 2026
22h 28m ago by literature.cafe/u/cm0002 in cybersecurity@infosec.pub from www.vulnerability-lookup.org
Hackers are actively exploiting a bug in cPanel, used by millions of websites
4d 10h ago by literature.cafe/u/cm0002 in cybersecurity@infosec.pub from techcrunch.com
The most severe Linux threat to surface in years catches the world flat-footed
4d 9h ago by discuss.tchncs.de/u/schnurrito in cybersecurity@infosec.pub from arstechnica.com
Celebrity Stalkerware Data Breach: 86K+ Private Images Leaked
3d 15h ago by mander.xyz/u/Deep in cybersecurity@infosec.pub from www.expressvpn.comOff-Topic Friday
3d 18h ago by infosec.pub/u/shellsharks in cybersecurity@infosec.pub
Copy Fail — 732 Bytes to Root
4d 23h ago by literature.cafe/u/cm0002 in cybersecurity@infosec.pub from copy.fail
Vimeo suffers 3rd-party breach exposing user data, hackers threaten leak
6d 3h ago by mander.xyz/u/Deep in cybersecurity@infosec.pub from cyberinsider.comWhat are You Working on Wednesday
6d 13m ago by infosec.pub/u/shellsharks in cybersecurity@infosec.pub
GTFOBins- curated list of Unix-like executables that can be used to bypass local security restrictions in misconfigured systems
7d 1h ago by mander.xyz/u/Deep in cybersecurity@infosec.pub from gtfobins.orgMentorship Monday - Discussions for career and learning!
7d 18h ago by infosec.pub/u/shellsharks in cybersecurity@infosec.pubOff-Topic Friday
11d 50m ago by infosec.pub/u/shellsharks in cybersecurity@infosec.pub
Chinese attackers are pwning your infrastructure to use in attacks, 10 countries warn
11d 7h ago by mander.xyz/u/Sepia in cybersecurity@infosec.pub from www.theregister.com
PLC Cybersecurity — Securing Industrial Control Systems
11d 8h ago by lemmy.world/u/monica_b1998 in cybersecurity@infosec.pub from slicker.me
Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Attack
11d 11h ago by libretechni.ca/u/cm0002 in cybersecurity@infosec.pub from socket.devWhat are You Working on Wednesday
12d 22h ago by infosec.pub/u/shellsharks in cybersecurity@infosec.pub
Iran claims US exploited networking equipment backdoors during strikes
13d 26m ago by lemmy.ca/u/floofloof in cybersecurity@infosec.pub from www.tomshardware.com
Iran, Russia and China behind most major cyberattacks on UK, security chief warns
13d 1h ago by scribe.disroot.org/u/randomname in cybersecurity@infosec.pub from www.the-independent.com
Wireshark tutorial: Capture vs. Display Filters
13d 9h ago by lemmy.world/u/monica_b1998 in cybersecurity@infosec.pub from slicker.me
Quantum Computers Are Not a Threat to 128-bit Symmetric Keys
13d 18h ago by libretechni.ca/u/cm0002 in cybersecurity@infosec.pub from words.filippo.io
FakeWallet cryptostealer propagating via iOS App Store applications
14d 3h ago by piefed.world/u/beep in cybersecurity@infosec.pub from securelist.com
Microsoft's Silent Lockout: Why WireGuard, VeraCrypt & Windscribe Can No Longer Update Windows Users
15d 16h ago by libretechni.ca/u/cm0002 in cybersecurity@infosec.pub from techlore.techHTTP desync in Discord's media proxy: Spying on a whole platform
16d 19h ago by piefed.world/u/beep in cybersecurity@infosec.pub from tmctmt.com
NIST gives up enriching most CVEs
16d 19h ago by piefed.world/u/beep in cybersecurity@infosec.pub from risky.biz
Claude Opus wrote a Chrome exploit for $2,283
17d 9h ago by lemdro.id/u/cm0002 in cybersecurity@infosec.pub from www.theregister.com
Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
17d 19h ago by lemmy.world/u/monica_b1998 in cybersecurity@infosec.pub from thehackernews.comOff-Topic Friday
17d 22h ago by infosec.pub/u/shellsharks in cybersecurity@infosec.pub
108 Chrome extensions caught stealing user data and hijacking sessions
18d 4h ago by piefed.world/u/beep in cybersecurity@infosec.pub from socket.devFiverr left customer files public and searchable on Google
18d 4h ago by piefed.world/u/beep in cybersecurity@infosec.pub from news.ycombinator.comEU’s official age verification app found exposing sensitive user data; also EU Age Verification can be bypassed using their own infrastructure
18d 19h ago by piefed.world/u/beep in cybersecurity@infosec.pub from video.twimg.com
Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them.
21d 10h ago by lemmings.world/u/cm0002 in cybersecurity@infosec.pub from anchor.host
AI Cybersecurity After Mythos: The Jagged Frontier
23d 17h ago by lemmings.world/u/cm0002 in cybersecurity@infosec.pub from aisle.com
Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise
23d 17h ago by lemmings.world/u/cm0002 in cybersecurity@infosec.pub from www.theregister.com
HWMonitor & CPU-Z users were exposed to malware through fake downloads after CPUID breach
23d 21h ago by lemmings.world/u/cm0002 in cybersecurity@infosec.pub from alternativeto.net
Supply chain nightmare: How Rust will be attacked and what we can do to mitigate the inevitable
23d 21h ago by lemmings.world/u/cm0002 in cybersecurity@infosec.pub from kerkour.comGoogle rolls out end-to-end encryption for Gmail on Android and iOS devices for enterprise users, letting them read and compose emails without additional tools
24d 7h ago by infosec.pub/u/cm0002 in cybersecurity@infosec.pub from www.bleepingcomputer.com
CPUID site hijacked to serve malware instead of HWMonitor downloads
24d 9h ago by infosec.pub/u/cm0002 in cybersecurity@infosec.pub from www.theregister.comGoogle rolls out end-to-end encryption for Gmail on Android and iOS devices for enterprise users, letting them read and compose emails without additional tools
24d 9h ago by lemmy.world/u/Innerworld in cybersecurity@infosec.pub from www.bleepingcomputer.com
ur best techno-babble to bypass clueless auditors?
24d 15h ago by thelemmy.club/u/astrobird in cybersecurity@infosec.pub from dev.to
CPUID hijacked to serve malware as HWMonitor downloads
24d 20h ago by infosec.pub/u/Deebster in cybersecurity@infosec.pub from www.theregister.com
FBI Extracts Suspect’s Deleted Signal Messages Saved in iPhone Notification Database
24d 23h ago by infosec.pub/u/cm0002 in cybersecurity@infosec.pub from www.404media.coMicrosoft BANNED WireGuard, VeraCrypt & Windscribe With Zero Warning
25d 22h ago by infosec.pub/u/cm0002 in cybersecurity@infosec.pub from www.youtube.com
Vulnerability-Lookup 4.4.0
25d 22h ago by infosec.pub/u/cm0002 in cybersecurity@infosec.pub from github.comWhat are You Working on Wednesday
27d 14m ago by infosec.pub/u/shellsharks in cybersecurity@infosec.pubAdobe modifies hosts file to detect whether Creative Cloud is installed
28d 19h ago by lemmy.ca/u/floofloof in cybersecurity@infosec.pub from www.osnews.comNew multilingual severity classifiers for vulnerability analysis
28d 21h ago by lemy.lol/u/cm0002 in cybersecurity@infosec.pub from www.vulnerability-lookup.orgCNVD Severity Classification and RMSV Effects: Honest Metrics & Data Leakage
1mon 2d ago by lemmings.world/u/cm0002 in cybersecurity@infosec.pub from www.vulnerability-lookup.orgSupply chain attack hits 300 million-download Axios npm package
1mon 4d ago by toast.ooo/u/cm0002 in cybersecurity@infosec.pub from www.itnews.com.au