Microsoft Patches Edge's Plain-Text Password Flaw
*Microsoft's browser has been keeping user passwords exposed in memory, but a fix is now prioritized to lock them down properly.*
Microsoft Edge stores passwords in plain text while they're in use, leaving them vulnerable to anyone who can access the browser's memory. This practice, which Microsoft now calls out as unacceptable, prompted the company to fast-track a security update for its Chromium-based browser.
Edge, Microsoft's default browser on Windows and increasingly on other platforms, includes a built-in password manager to save and autofill login credentials across sites. Like competitors such as Chrome and Firefox, it handles sensitive data during sessions, but the plain-text storage in memory sets it apart in a risky way. Previously, this meant that if malware or a debugging tool probed Edge's processes, passwords could be read directly without decryption.
The issue came to light through Microsoft's own security review, leading to an admission that plain-text handling isn't secure enough for modern threats. No specific exploits tied to this flaw have been detailed yet, but the company emphasized the need for better protection against memory-scraping attacks. The fix, described as a priority update, will encrypt or obscure passwords in memory to prevent easy extraction.
In a statement on the matter, Microsoft engineers noted the change aligns with broader efforts to harden Edge against evolving attack vectors. The update is slated for the next stable release channel, though exact timing remains under wraps. This isn't the first password-related tweak for Edge; past versions have improved autofill security, but memory handling has lagged.
Security researchers have long flagged plain-text storage in browsers as a weak point. Tools like process explorers or even certain browser extensions could inadvertently expose credentials. Microsoft's move addresses this head-on, without waiting for a public vulnerability report.
While no direct user impact from exploits has been reported, the admission highlights ongoing challenges in browser security. Other browsers face similar scrutiny—Chrome, for instance, uses more layered protections—but Edge's market share growth makes its fixes more urgent.
This patch matters because browsers are the front line for user data in an era of rampant phishing and malware. Storing passwords in plain text invites disaster; a single breach could expose logins for email, banking, or work accounts. Microsoft gets credit for owning the problem and acting quickly, but it underscores why users shouldn't rely solely on built-in managers—pairing Edge's tool with a dedicated app like Bitwarden adds real security without much hassle. The real win here is forcing the industry to treat memory as hostile territory, not a safe haven.
Edge users can expect the update soon, closing a gap that should never have existed in the first place.
---
No comments yet