Edge Password Leak in Process Memory Threatens Enterprise

A new proof‑of‑concept (PoC) published by security researcher Alex Chen of CyberX Labs shows that Microsoft Edge stores user passwords in plaintext within the browser’s process memory, exposing them to any privileged code running on the same host. By attaching a small memory‑dump utility to the msedge.exe process, Chen was able to locate the credential strings in the heap and extract them without triggering any Windows security alerts. The PoC works on all recent Edge versions up to 120.0.2210.91 and requires only an administrator‑level account on the targeted workstation.

The exploit leverages Edge’s built‑in password manager, which caches autofill data in an unprotected memory region after a user logs into a site. Once the browser loads the saved credentials, the password string remains in the process address space until the tab or the entire Edge instance is closed. Chen demonstrated that a malicious DLL injected under a privileged user context can read these strings, effectively bypassing Edge’s "secure storage" safeguards that rely on Windows DPAPI only when the password is written to disk, not while it resides in RAM.

From an enterprise perspective, the flaw creates a high‑risk lateral‑movement path. An attacker who compromises a machine with admin rights can harvest stored credentials for Microsoft 365, Azure AD, corporate VPNs, and other cloud services, then use them to pivot deeper into the network without triggering multi‑factor authentication prompts. In a real‑world scenario, a compromised admin account could become a foothold for ransomware deployment or data exfiltration, amplifying the impact of a single compromised endpoint.

Microsoft acknowledged the issue and pointed out that the behavior aligns with its design philosophy of trusting processes running under the same user context. The company recommends enabling Windows Defender Credential Guard, enforcing Windows Hello for authentication, or migrating to a third‑party password manager that stores credentials outside the browser process. Until these mitigations are widely deployed, organizations should treat any admin‑level compromise as a potential credential harvest event and monitor for unusual Edge memory‑access patterns.