Overview
- Following Monday’s disclosure on X, researcher Tom Jøran Sønstebyseter Rønning showed Edge decrypts every saved password at startup and keeps them in RAM in cleartext.
- Microsoft told reporters the behavior is by design and said reading that data would require a compromised device, with no patch or change announced.
- Rønning’s proof‑of‑concept and a public checking tool demonstrate that anyone with admin rights on a shared or terminal server can dump other users’ passwords from Edge’s process memory.
- Tests and coverage note Chrome does not do this, instead decrypting passwords only when needed and using App‑Bound Encryption to tie keys to a verified Chrome process.
- MSRC previously marked a similar 2025 report as not a vulnerability, and security writers now advise moving passwords out of Edge to a dedicated manager and deleting any saved in the browser.