Edge Leaves Saved Passwords Sitting in Process Memory

Microsoft Edge retains saved credentials in plaintext within its running process memory, where any local actor with sufficient privileges — malware, a compromised user session, or a forensic memory dump — can scrape them directly. The behavior bypasses the protections users assume they get from the browser’s password manager, since DPAPI-encrypted storage on disk is irrelevant once the secrets are decrypted into addressable RAM.

For enterprises, this turns a single endpoint compromise into a credential harvest across every site the user has logged into. Info-stealer families already target browser memory regions specifically because of this class of weakness, and Edge’s footprint in managed Windows fleets makes it a high-value surface.

Mitigations are limited until the browser changes its memory handling: enforce policy to disable in-browser password storage, push users to a dedicated password manager with hardware-backed protection, and prioritize EDR rules that flag process memory reads against msedge.exe.