A security researcher discovered that Microsoft Edge stores login credentials in plain text on disk, potentially exposing millions of users’ passwords to malware and unauthorized access. This flaw, detailed in a 2021 report by Ukrainian researcher Daniel Bohannon, bypasses Windows protections and highlights ongoing risks in browser password management.
Over 1.5 billion devices run Microsoft Edge as of May 2026, according to StatCounter data, making this vulnerability a massive concern for enterprise and consumer security alike. As browsers dominate daily online activities, understanding “Edge browser leaves passwords exposed in plain text, says researcher” reveals critical gaps in trusted tools.
Researcher’s Discovery: How Edge Exposes Passwords in Plain Text
Daniel Bohannon, a principal research scientist at Huntress Labs, uncovered the issue during routine analysis of Edge’s credential storage. He found that Edge writes login URLs, usernames, and unencrypted passwords directly to SQLite databases in the user’s profile directory, such as Login Data files.
Attackers with local access can query these databases using simple SQL commands, retrieving credentials instantly. Bohannon demonstrated this in a proof-of-concept video, showing recovery of passwords from Edge even after the browser closes.
“Edge’s password storage is world-readable by default, ignoring Windows security descriptors,” Bohannon stated in his original disclosure. “This affects every Edge user on Windows 10 and 11.”
Technical Breakdown of the Vulnerability
The flaw stems from Edge’s use of Chromium’s password manager, which prioritizes convenience over isolation. Files reside in C:Users[username]AppDataLocalMicrosoftEdgeUser DataDefault, accessible to any process running as the user.
- SQLite query:
SELECT origin_url, username_value, password_value FROM loginsdumps all credentials. - No obfuscation: Passwords appear in clear text after decrypting a weak master key stored in memory.
- Impact persists:Persistence:::
Bohannon’s tool, SharpEdge, automates extraction, proving the ease of exploitation.
Historical Context: Browser Password Vulnerabilities Over Time
Browser credential storage issues date back to Internet Explorer’s PStore in the early 2000s. Chrome inherited similar risks in 2008, leading to patches like OS-level keyring integration.
Microsoft Edge, launched in 2015 as a UPFresh start, adopted Chromium in 2020, carrying over these weaknesses. A 2019 study by Dashlane analyzed top browsers and found 85% stored credentials insecurely against local attacks.
By 2026, while Chrome added NIST SP 800-63B-compliant encryption, Edge lags in full-disk isolation. This evolution underscores slow industry progress on evergreen threats.
Evolution of Edge’s Security Model
| Version | Key Change | Remaining Risk |
|---|---|---|
| Legacy Edge (pre-2020) | Proprietary storage | DPAPI encryption bypassable |
| Chromium Edge (2020+) | SQLite plain text | Local read access |
| 2026 Updates | Enhanced keyring | Still vulnerable to malware |
Microsoft claims improvements via Edge’s privacy commitments, but researchers report persistence.
Current State: Edge Password Exposure in 2026
As of May 2026, Edge holds 28% global browser market share per StatCounter, trailing Chrome’s 65%. A Verizon DBIR 2026 report notes local credential theft in 17% of breaches, with browsers as top targets.
Microsoft patched partial mitigations in Edge 124 (early 2026), restricting file permissions, but Bohannon confirmed in follow-up tests that admin-elevated malware circumvents them. Over 500 million Windows users remain at risk daily.
Industry surveys show 62% of enterprises use Edge, per Gartner 2026 Endpoint Report, amplifying corporate exposure. This “Edge browser leaves passwords exposed in plain text, says researcher” issue persists amid rising ransomware targeting browsers.
Real-World Exploitation Cases
- 2025 RedLine Stealer malware extracted Edge credentials from 40% of infected machines, per Kaspersky telemetry.
- Corporate breach at a Fortune 500 firm: Attackers pivoted via exposed Edge logins, costing $12 million (Mandiant M-Trends 2026).
- Consumer impact: 150,000+ victims reported password reuse post-theft (Have I Been Pwned data).
Follow strong password management practices to mitigate reuse risks exposed by such flaws.
Expert Perspectives on Edge’s Password Security Flaw
“This isn’t just sloppy engineering; it’s a betrayal of user trust in a default OS browser,” says Kevin Mitnick, renowned cybersecurity expert. He advocates hardware-backed enclaves for credential storage.
Paula Greisler, CTO at Absolute Security, notes: “Edge’s design favors speed over security, common in Chromium forks. Enterprises must layer defenses.”
“Local attacks succeed 92% of the time against browser vaults without EDR,” per CrowdStrike’s 2026 Threat Report.
Contrasting views emerge: Microsoft defenders argue OS protections suffice, but a Ponemon Institute study finds 74% of local exploits evade standard AV.
Pros and Cons of Edge’s Approach
| Pros | Cons |
|---|---|
| Seamless autofill | Plain text on disk |
| Cross-device sync | Vulnerable to keyloggers |
| Free built-in | No zero-knowledge proof |
Comparisons: Edge vs. Chrome, Firefox, and Safari Password Managers
Chrome mirrors Edge’s flaws but added Linux keyring support in 2024, reducing Windows exposure by 40% (Google Security Blog). Firefox uses hardened SQLite with mozStorage encryption, blocking 95% of local dumps per tests.
Safari leverages iCloud Keychain with Secure Enclave, making plain-text recovery near-impossible without root. A 2026 BrowserBench audit ranked Edge last in credential resilience.
- Edge: 0/10 isolation score
- Chrome: 4/10
- Firefox: 7/10
- Safari: 9/10
Secure your network with basic home Wi-Fi protections to limit remote access to these local vulns. Pair with modern endpoint detection tools for proactive defense.
Implications and Mitigation Strategies
This vulnerability drives a 25% uptick in credential-stuffing attacks, per Akamai 2026 data. Users face identity theft; businesses risk lateral movement in networks.
- Disable Edge password saving: Settings > Profiles > Passwords > Offer to save.
- Use dedicated managers like Bitwarden or 1Password with zero-knowledge encryption.
- Enable Windows Defender Credential Guard for enterprise isolation.
- Monitor with EDR: Detect SQLite queries via behavior analytics.
Adopt passkeys, now supported in Edge 2026 updates, shifting from passwords entirely.
Future Trends: Toward Passwordless and Hardened Browsers
By 2028, Gartner predicts 60% of enterprises ditch browser storage for FIDO2 passkeys. Edge integrates WebAuthn fully, but researchers forecast AI-driven stealers targeting memory dumps.
Emerging trends include browser sandboxes with SGX enclaves (Intel) and confidential computing. Microsoft’s roadmap hints at Pluton chip integration for Windows 12, potentially resolving disk exposure.
Expect regulatory pressure: EU’s 2026 Cyber Resilience Act mandates auditable storage, pushing vendors like Microsoft to prioritize.
Predictions from Industry Leaders
- IDC: Browser vuln exploits drop 30% by 2027 with passkey adoption.
- Forrester: 45% growth in dedicated password managers market to $4.1B.
- Expert consensus: Edge fixes incoming, but user habits lag.
Conclusion: Secure Your Credentials Beyond Edge
The revelation that “Edge browser leaves passwords exposed in plain text, says researcher” demands immediate action. Billions rely on browsers; don’t let convenience compromise safety.
Key takeaways: Audit saved credentials, migrate to passkeys, and layer defenses. Stay vigilant—visit cybersecurity resources regularly and test your setup today.