When it comes to safety, it’s better to be safe than sorry. That’s the main message Microsoft shared When explaining why the Edge browser won’t load passwords on startup.
Earlier this month, researcher Tom Jøran Sønstebyseter Rønning discovered that Edge decrypts each credential at startup and stores that information in memory. Edge is the only Chromium-based browser to load all saved passwords into memory using clear text at startup. In contrast, Chrome only decrypts specific passwords and stores them in clear text when the user wants to see the password.
Shortly after Rønning shared his findings, Microsoft released a statement about the discovery, explaining that the behavior was “an expected feature of the app.” The company also noted that accessing browser data through behavior requires an already compromised device.
“Based on our existing criteria, this behavior fits the expected threat model because the risk starts after the attacker has already stolen the device. At the same time, we believe there is room for improvement. In this blog, we’ll show you what we changed and why.”
In the update that brings Edge to version 148, the browser won’t save passwords when it’s launched. The change is now rolling out on the Canary Channel of Edge and will roll out to all users soon.
This is an interesting development because Microsoft is simultaneously reiterating that this behavior is not a serious security risk and immediately making a change to change this behavior.
