Offensive

Plaintext in Memory: Revisiting Browser Password Security

This blog post shows how browsers expose passwords in memory and how they can potentially be extracted.

Christian Bieg
May 22, 2026

Initial situation

In early May, it became publicly known that Microsoft Edge keeps stored passwords unencrypted in memory when the process starts

 (https://x.com/L1v1ng0ffTh3L4N/status/2051308329880719730). This allowed extracting saved passwords directly from the memory of msedge.exe.

Microsoft responded (see https://microsoftedge.github.io/edgevr/posts/Saved-passwords-in-Edge-memory-what-were-changing-and-why/) and introduced a change in version 148.0.3967.70 that prevents passwords from being present in decrypted form in memory at startup.

Based on this, we further investigated the handling of passwords in memory in Microsoft Edge and Google Chrome.

Observation

 Our analysis revealed that when opening edge://settings/autofill, multiple stored passwords are still decrypted and held in memory. On this page, passwords are not displayed in plaintext by default, so there is no functional need to decrypt them at that point. 

It also turned out that this issue not only affects Microsoft Edge, but also Google Chrome.

Plaintext in Memory: Revisiting Browser Password Security

Automation

A direct call to msedge.exe edge://settings/autofill is not possible. The browser apparently only accepts certain URL schemes at startup (e.g. http:// and https://), but not edge://.

 To make the behavior reproducible and automatable, we proceeded as follows: 

  • Terminate all msedge.exe processes

  • Back up the files in the directory [User Data]/Default/Sessions

  • Deploy a prepared session containing a tab with edge://settings/autofill

  • Start msedge.exe --restore-previous-session to force loading the session

  • Extract the passwords from the process memory

  • Terminate all msedge.exe processes

  • Restore the original session files

We implemented a proof of concept that automates these steps. The approach works with both Microsoft Edge and Google Chrome. The proof of concept can be found here: ChristianBiegAG/SavedPasswordsDumper

Assessment

We reported this behavior to the Chromium team on 2026-05-20. However, the issue was closed with reference to the so-called “Infected Machine” threat model, in which attacks with already existing code execution in the user context are not taken into account.

Regardless of this, the question arises as to what expectations should be placed on an integrated password manager. In many security designs, the principle applies that sensitive data is only decrypted when it is actually needed.

In this specific case, this means:

  1. Decryption as late as possible (on-demand

  2. Restriction to the specifically required entries

  3. Minimization of the time spent in memory

  4. Optional additional user confirmation (e.g. via OS authentication or biometrics)

Other password managers (such as Keepass) implement these principles.
Offensive Research Cleartext Credentials

Similar posts