Recently, news emerged about an interesting security find in Microsoft Edge. A researcher discovered that Microsoft Edge is storing passwords in memory as plain text, which does not sound right, even for those far from cybersecurity. Initially, Microsoft said that there was nothing to worry about, as the feature was intentionally designed that way, but now the company is making a U-turn.
In a newly published Microsoft Browser Vulnerability Research post, the company reaffirmed that the design "falls within the expected threat model," given that it only becomes a risk if someone already has administrative access to your device. At this point, you are already screwed, as Microsoft can do little with someone running malware with elevated privileges on your device. Still, Microsoft acknowledged that it is also an opportunity to improve.
Microsoft is now working on a priority update (not just AI-powered features) that will roll out to all supported Edge versions across all four channels (version 148 and newer). The patch will prevent the browser from loading passwords into memory as plain text. Microsoft says that this change reflects its commitment to the Secure Future Initiative and a "broader view" into security measures:
That means looking not only at whether something meets the bar for a security issue, but also at where we can reduce exposure through defense-in-depth improvements. In this case, reducing the exposure of passwords in memory is a practical step in that direction.
Microsoft is not revealing exact changes in Edge's password manager. The company only says that users who already store their passwords in Microsoft Edge have nothing to worry about, and the promised patch will fix the reported "issue" without any action required from the end user. You can read more about it in the published blog post here.
6 Comments
Load the comments and join the conversation!
Read the comments, ask the editors questions, show respect and join the conversation.