Security researchers have discovered that Microsoft Edge saves user passwords in cleartext, a practice they claim can lead to widespread credential harvesting on shared computers.
According to a report from PC Gamer, the vulnerability exists because the browser stores sensitive login information without robust encryption. This lack of protection makes it possible for anyone with physical or remote access to the device's file system to read the credentials directly.
Researchers warn that this design choice turns shared workstations into high-risk environments. On computers used by multiple people, such as those in libraries, internet cafes, or office settings, a malicious actor could easily extract saved passwords to compromise other accounts.
A built-in risk
The outlet reported that the issue is not a traditional 'bug' but rather a feature of how the browser operates 'by design.' This means the storage of unencrypted data is a fundamental part of the current architecture for these specific password files.
Researchers argue that this specific configuration 'turns into a credential harvest' when users share hardware. The ease of access to these plain-text files allows for automated scripts to scrape data without needing to bypass complex security layers.
While Microsoft has not officially labeled this a critical security patch event, the discovery highlights a significant gap in the browser's local data protection. Users accessing sensitive accounts on public or shared machines are particularly vulnerable to this type of data exposure.
