Microsoft Edge Stores Passwords in Plaintext RAM: Enterprise Risk for SAMA Banks

Norwegian security researcher Tom Jøran Sønstebyseter Rønning disclosed a finding that caught enterprise security teams off guard: Microsoft Edge decrypts and loads every saved credential into process memory in cleartext the moment the browser launches — and Microsoft says the behavior is intentional. For financial institutions operating under SAMA's Cyber Security Framework, this "by design" decision converts every employee workstation into a live credential vault accessible to any process that can read Edge's memory space.

How Edge Handles Saved Credentials

Most password managers follow a decrypt-on-demand model: credentials remain encrypted at rest and are only decrypted individually when autofill or sign-in is triggered. Edge takes a different approach. At startup, the browser decrypts the entire credential store — every username, password, and associated URL — and holds the data in plaintext within its process memory. Microsoft's rationale centers on performance: pre-loading credentials speeds up autofill across tabs and Microsoft 365 integrations. The trade-off is that any local process with sufficient privileges to read Edge's memory can harvest the full credential set without triggering DPAPI decryption events that endpoint detection tools typically monitor.

The Attack Surface: From Infostealers to Lateral Movement

This design choice amplifies the impact of common attack vectors already targeting Saudi financial institutions. Infostealer malware families like RedLine, Lumma, and Vidar have long targeted browser credential stores, but they traditionally needed to invoke DPAPI or interact with the Login Data SQLite database — actions that modern EDR platforms flag. With Edge holding cleartext credentials in RAM, an attacker who achieves code execution on an endpoint can perform a straightforward memory dump of the Edge process. The extracted credentials often include access to Microsoft 365 tenants, internal banking portals, SWIFT operator interfaces, and third-party fintech platforms. A single compromised workstation can yield the authentication context for an employee's entire enterprise application portfolio, enabling lateral movement that bypasses network segmentation controls.

Why SAMA-Regulated Banks Should Pay Attention

SAMA's Cyber Security Framework (CSCC) mandates strict controls around credential management, endpoint hardening, and data-at-rest protection. Subdomain 3.3.4 (Identity and Access Management) requires that authentication credentials be protected throughout their lifecycle — a requirement that plaintext credentials resident in volatile memory arguably violate. The NCA Essential Cybersecurity Controls (ECC) reinforce this under control 2-6-1, mandating protection of authentication information during storage and transmission. PCI-DSS Requirement 8.3.2 similarly demands that passwords be rendered unreadable during storage. While Microsoft positions RAM as a transient medium, a forensic acquisition of a running endpoint — or a memory dump triggered by malware — effectively converts that transient state into persistent exposure.

The PDPL (Personal Data Protection Law) adds another dimension. Bank employees who save credentials to corporate Edge profiles may inadvertently store personal banking passwords, healthcare portal credentials, or government service logins alongside corporate ones. A breach that harvests Edge's memory could expose personal data of employees, creating PDPL notification obligations beyond the immediate operational incident.

Microsoft's Position and Why It Falls Short

Microsoft's official stance classifies this as expected behavior, arguing that an attacker who can read process memory already has sufficient access to compromise the endpoint through other means. This reasoning follows Microsoft's longstanding threat model boundary: local administrator access to a machine is considered a full-compromise scenario. The problem with this argument in a banking context is threefold. First, not every memory-read scenario requires admin privileges — certain vulnerability chains and misconfigurations allow unprivileged processes to read other processes' memory. Second, the blast radius of credential exposure far exceeds the blast radius of a single compromised endpoint when those credentials unlock cloud tenants, SaaS platforms, and payment infrastructure. Third, SOC teams building detection logic around DPAPI calls or Login Data file access now have a blind spot: the credentials are already decrypted before any detectable interaction occurs.

Practical Mitigations for Financial Institutions

1. Enforce enterprise password managers over browser-native storage. Deploy a dedicated credential management solution (CyberArk, 1Password Business, or Keeper) via Group Policy and disable Edge's built-in password manager using the PasswordManagerEnabled policy set to false.
2. Enable Credential Guard on all endpoints. Windows Credential Guard uses virtualization-based security (VBS) to isolate secrets in a protected memory region that standard processes — including Edge — cannot access. Ensure VBS is enabled across the fleet, particularly on workstations handling SWIFT, core banking, or payment card operations.
3. Deploy memory integrity monitoring. Configure EDR solutions (Microsoft Defender for Endpoint, CrowdStrike, or SentinelOne) to alert on process memory read operations targeting browser processes. Create custom detection rules for tools like procdump, comsvcs.dll MiniDump, and direct NtReadVirtualMemory calls against msedge.exe.
4. Mandate phishing-resistant MFA everywhere. FIDO2 security keys or certificate-based authentication ensure that stolen passwords alone cannot grant access to critical systems. SAMA CSCC Subdomain 3.3.5 already recommends multi-factor authentication for privileged and remote access — extend this to all browser-accessible applications.
5. Audit Edge profiles and synced credentials. Use Microsoft Intune or SCCM to inventory which endpoints have Edge password sync enabled. Disable sync for corporate profiles to prevent credential replication across devices that may have weaker security postures.
6. Conduct targeted red team exercises. Include browser credential extraction from memory in your next penetration test scope. Validate whether your SOC detects the activity and whether incident response playbooks cover credential compromise from browser memory dumps.

Conclusion

Microsoft's decision to hold credentials in plaintext RAM is a deliberate performance optimization that fundamentally conflicts with the security posture required of SAMA-regulated financial institutions. The fix is not a patch — it is a policy and architecture decision: remove reliance on browser-native password storage, harden endpoints against memory extraction, and ensure that stolen credentials cannot be used without a second authentication factor. Banks that treat this as a low-priority design quirk risk learning its consequences during an incident where a single infostealer delivers the keys to their entire enterprise.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and endpoint security review tailored to your institution's risk profile.