When it comes to security, it’s better to be safe than sorry. That’s the core message Microsoft shared when explaining why its Edge browser will no longer load passwords into memory on startup.
Earlier this month, researcher Tom Jøran Sønstebyseter Rønning found that Edge decrypts every credential on startup and keeps that data in memory. Edge is seemingly the only Chromium-based browser to load all stored passwords into memory using plaintext at startup. In contrast, Chrome only decrypts specific passwords and loads them in plaintext in memory when a user asks to see the password.
Shortly after Rønning shared their findings, Microsoft issued a statement on the discovery explaining that the behavior “is an expected feature of the application.” The company also noted that accessing browser data through the behavior would require a device that was already compromised.
“Based on our existing criteria, this behavior falls within the expected threat model, since the risk begins after an attacker has already compromised the device. At the same time, we believe there’s opportunity to improve. In this blog, we’ll show you what we’re changing and why.”
In an update that brings Edge to version 148, the browser will no longer load passwords into memory on startup. The change is already live in the Canary Channel of Edge and will roll out to all users soon.
It’s an interesting development because Microsoft is simultaneously repeating that the behavior is not a serious security risk and rolling out an immediate change to alter that behavior.
Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.
