Microsoft Does U-Turn On Edge ‘By Design’ Password Vulnerability

Microsoft Does U-Turn On Edge ‘By Design’ Password Vulnerability

By Davey Winder
Publication Date: 2026-05-19 13:35:00

Microsoft has now confirmed that a “defense-in-depth change will come to every supported version of Edge” after initially refusing to address a password vulnerability identified for users of the web browser password manager. When I first reported that a researcher had publicly disclosed the security vulnerability, whereby all saved passwords were loaded into memory, in plaintext, at startup, Microsoft said that this happened “by design” and the behavior fell “within the expected threat model.” That was 10 days ago. Now, Microsoft has said that it will “no longer load passwords into memory on startup,” and starting with version 148 and “every supported version of Edge” will get the update, the rollout of which is now being prioritized.

ForbesMy Password Has Been Stolen—What Happens Next?

The Microsoft Edge Saved Passwords Vulnerability Explained

A security…