Microsoft is updating Edge so saved passwords will no longer be loaded into process memory in clear text at startup, reversing a behavior that a researcher had shown could expose credentials. The change follows disclosure by Tom Jøran Sønstebyseter Rønning and will roll out to all supported Edge channels as a defense-in-depth improvement. #Microsoft #Edge #TomJøranSønstebyseterRønning
Keypoints
- Edge previously decrypted saved passwords and kept them in memory on launch.
- Researcher Tom Jøran Sønstebyseter Rønning reported the issue and published a PoC tool.
- Attackers with Administrator privileges could dump passwords from other users’ Edge processes.
- Microsoft first said the behavior was by design, then decided to change it.
- The fix is live in Edge Canary and will reach all supported Edge releases starting with build 148.