An attacker with administrative privileges can gain access to Microsoft Edge user passwords even when they're not in use, because the browser stores them in cleartext in process memory as part of a design decision by Microsoft.

Security researcher Tom Jøran Sønstebyseter Rønning revealed the issue and how it can be exploited in a proof-of-concept (PoC) tool at Palo Alto Networks Norway's BIG Bite of Tech conference last week. He subsequently posted resources for the PoC and tool on GitHub.

The basic issue is that Microsoft Edge decrypts and stores all passwords that have been saved in the browser in process memory, "even if the person never visits the site that uses those credentials," Rønning, offensive security/internal penetration tester and technical team lead of proactive security at Norway's Statnett SF, wrote on X in one of a series of posts detailing the issue. He conducted the research about the issue in his own time and not in his role at the company, he noted.