UMVA has learned that Microsoft Edge has quietly shifted its security posture, abandoning a long‑standing practice of keeping all saved passwords in plain text within memory.
For years, users trusted that their digital secrets were safely tucked away, encrypted and guarded by the browser’s own safeguards. Yet a Norwegian security researcher uncovered a startling flaw: Edge would load every stored password into RAM, exposing them to anyone with local access.
The vulnerability meant that, even when not actively typing, a malicious actor could simply read the computer’s memory and copy every password in a single glance.
When the researcher demonstrated the breach in a short video, the reaction was immediate and alarmed. The browser’s own password manager, which should rely on encryption and temporary decryption, was revealed to hold secrets in plain sight.
Other browsers and built‑in managers do not exhibit this behavior; they load passwords only when needed, decrypt them briefly, and then purge them from memory.
Edge’s developers responded by labeling the practice a “deliberate design decision,” a claim that raised more questions than answers about the intended benefit for users.
UMVA has gathered that the change came with Edge version 148, which will no longer keep passwords in unencrypted form, marking a critical shift in the browser’s security strategy.
Until this update, the risk remained stark: a single keylog or memory dump could expose every stored credential, turning a user’s own browser into a vault of vulnerability.
Those who rely on Edge for password storage are urged to migrate to a more secure manager and purge all saved passwords from the browser before the new version rolls out.