A cybersecurity researcher has released a proof-of-concept tool that demonstrates security risks in Microsoft Edge's handling of saved passwords. The researcher, who goes by the name Tom Jøran Sønstebyseter Rønning on the Internet, shared his findings on social platforms including X and gave a full demonstration.

According to him, Microsoft Edge will load the user’s saved account passwords in clear text into the system memory when the browser starts, even if these credentials are not currently used. Even more intriguingly, the browser continues to ask the user to log in again even when all passwords reside in memory in an unprotected form.

To illustrate this behavior more intuitively, the researchers released a tool called “EdgeSavedPasswordsDumper” on GitHub. The project is positioned as an educational utility designed to help security professionals and ordinary users verify how saved credentials are managed in browser environments. The tool accesses the browser's process memory to extract usernames and passwords that may be in human-readable form.

Research shows that the parent process of Microsoft Edge continues to hold these decrypted credentials, and once an attacker obtains sufficient system privileges, this process may become a target for password extraction. This risk is particularly acute for organizations running shared accounts or multi-user environments, as a compromise of an account with administrator privileges would allow an attacker to access data across multiple active sessions.

It should be pointed out that this technology itself does not constitute a remote attack method, but in the scenario where the attacker has obtained high-privilege access, it becomes a weapon for further lateral movement or stealing sensitive information. In this case, operations such as memory dumps through common management tools may leak the login information stored therein.

The researchers’ testing also found that this issue appears to be an Edge-specific behavior, and the same pattern is not observed in other Chromium-based browsers such as Google Chrome and Brave. The latter usually only decrypts the credentials when needed, without keeping them in clear text in memory for an extended period of time. However, this does not mean that Chrome is completely free of hidden dangers. For example, previous reports pointed out that Chrome lags behind products such as Edge, Firefox, and Brave in the important privacy feature of browser fingerprint protection.

Even more puzzling is that when the researchers tried to notify Microsoft of the issue, Microsoft apparently classified the behavior as "working by design." Beyond this statement, Microsoft did not appear to provide any further response or explanation.