WordPress Cleartext Password Stored In Browser Memory
I have been performing penetration testing on a stock WordPress install. A persistence concern I see is that WP stores cleartext passwords within the browser memory.
To reproduce:
Login to WordPress and then log back out. Close that particular tab,
but keep Chrome open.Create a dump file of the browser memory.
Open the dump file and search for the password, you will then see it present in clear text.
How can I prevent this from happening?
Regardless of the context of someone actually viewing the password this way, the use of a cleartext password cannot be good practice?
Ref: https://cwe.mitre.org/data/definitions/316.html
wordpress security browser passwords penetration-testing
asked Nov 8 '18 at 14:27
David.JDavid.J
571624
add a comment |
I have been performing penetration testing on a stock WordPress install. A persistence concern I see is that WP stores cleartext passwords within the browser memory.
To reproduce:
Login to WordPress and then log back out. Close that particular tab,
but keep Chrome open.Create a dump file of the browser memory.
Open the dump file and search for the password, you will then see it present in clear text.
How can I prevent this from happening?
Regardless of the context of someone actually viewing the password this way, the use of a cleartext password cannot be good practice?
Ref: https://cwe.mitre.org/data/definitions/316.html
wordpress security browser passwords penetration-testing
asked Nov 8 '18 at 14:27
David.JDavid.J
571624
What tool did u use for the export? Official browser plugin, nirsoft, etc.?
– f.overflow
Nov 12 '18 at 14:28
Hi @f.overflow, actually this can be done without any tool. In Task Manager => Applications, right click Chrome and click "Create Dump File". Open that file, and search for your WP password and it can be seen as text.
– David.J
Nov 12 '18 at 14:41
add a comment |
I have been performing penetration testing on a stock WordPress install. A persistence concern I see is that WP stores cleartext passwords within the browser memory.
To reproduce:
Login to WordPress and then log back out. Close that particular tab,
but keep Chrome open.Create a dump file of the browser memory.
Open the dump file and search for the password, you will then see it present in clear text.
How can I prevent this from happening?
Regardless of the context of someone actually viewing the password this way, the use of a cleartext password cannot be good practice?
Ref: https://cwe.mitre.org/data/definitions/316.html
wordpress security browser passwords penetration-testing
asked Nov 8 '18 at 14:27
David.JDavid.J
571624
I have been performing penetration testing on a stock WordPress install. A persistence concern I see is that WP stores cleartext passwords within the browser memory.
To reproduce:
Login to WordPress and then log back out. Close that particular tab,
but keep Chrome open.Create a dump file of the browser memory.
Open the dump file and search for the password, you will then see it present in clear text.
How can I prevent this from happening?
Regardless of the context of someone actually viewing the password this way, the use of a cleartext password cannot be good practice?
Ref: https://cwe.mitre.org/data/definitions/316.html
wordpress security browser passwords penetration-testing
wordpress security browser passwords penetration-testing
asked Nov 8 '18 at 14:27
David.JDavid.J
571624
asked Nov 8 '18 at 14:27
David.JDavid.J
571624
edited Nov 15 '18 at 12:07
David.J
asked Nov 8 '18 at 14:27
David.JDavid.J
571624
asked Nov 8 '18 at 14:27
David.JDavid.J
571624
asked Nov 8 '18 at 14:27
David.JDavid.J
571624
571624
What tool did u use for the export? Official browser plugin, nirsoft, etc.?
– f.overflow
Nov 12 '18 at 14:28
Hi @f.overflow, actually this can be done without any tool. In Task Manager => Applications, right click Chrome and click "Create Dump File". Open that file, and search for your WP password and it can be seen as text.
– David.J
Nov 12 '18 at 14:41
add a comment |
What tool did u use for the export? Official browser plugin, nirsoft, etc.?
– f.overflow
Nov 12 '18 at 14:28
Hi @f.overflow, actually this can be done without any tool. In Task Manager => Applications, right click Chrome and click "Create Dump File". Open that file, and search for your WP password and it can be seen as text.
– David.J
Nov 12 '18 at 14:41
What tool did u use for the export? Official browser plugin, nirsoft, etc.?
– f.overflow
Nov 12 '18 at 14:28
What tool did u use for the export? Official browser plugin, nirsoft, etc.?
– f.overflow
Nov 12 '18 at 14:28
Hi @f.overflow, actually this can be done without any tool. In Task Manager => Applications, right click Chrome and click "Create Dump File". Open that file, and search for your WP password and it can be seen as text.
– David.J
Nov 12 '18 at 14:41
Hi @f.overflow, actually this can be done without any tool. In Task Manager => Applications, right click Chrome and click "Create Dump File". Open that file, and search for your WP password and it can be seen as text.
– David.J
Nov 12 '18 at 14:41
add a comment |
1 Answer
1
active
oldest
votes
"How can I prevent this from happening?"
This is not a WordPress issue, as WordPress doesn't control the client's garbage collection. The password would disappear in short time, when the JavaScript engine would be available for this task.
"the use of a cleartext password cannot be good practice?"
The browser is passing clear text password to WordPress, this is how username-password authentication (also called basic authentication) works.
answered Nov 15 '18 at 11:32
Yuval PapishYuval Papish
92
Thanks, surely WP is at fault? Should WP not store user credentials in the browser memory. Passwords should be encrypted or stored in salted hash format. Ref: cwe.mitre.org/data/definitions/316.html
– David.J
Nov 15 '18 at 12:07
The password is stored in the browser memory, hence the relevant application is the browser's JVM. WP is considered as an application only on the WP server. Interesting enough, PHP have exactly the same issue. The reason it is not mitigated on script language (JS, PHP) is the short life-time of a script. Java and C# have objects that holds string encrypted in their heap.
– Yuval Papish
Nov 15 '18 at 15:32
Interesting, thanks for your comments. JVM, you mean the browser memory right?
– David.J
Nov 15 '18 at 17:10
I wrote JVM but meant the rendering engine, as this is an html input and not a JS variable. The answer is still the same, it's up to the client garbage collection algorithm to clean up the memory. Btw: If you would use a multi-process browser, such as Google Chrome, you won't experience this issue when closing tab, because the relevant processes would be terminated immediately. However, this does not mean that Chrome is safer, because the same issue would happen when you'd reuse the same tab.
– Yuval Papish
Nov 17 '18 at 19:29
1
@David.J i was referring to the answer: "…this is how username-password authentication (also called basic authentication) works.". While you could call this 'a basic form of authentification', I know 'basic authentification' only in context of HTTP, and the first couple of search result pages seem to agree. WP does send credentials over HTTP, but it is not Basic Authentification.
– kubi
Nov 20 '18 at 22:37
|
show 2 more comments
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53209772%2fwordpress-cleartext-password-stored-in-browser-memory%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
"How can I prevent this from happening?"
This is not a WordPress issue, as WordPress doesn't control the client's garbage collection. The password would disappear in short time, when the JavaScript engine would be available for this task.
"the use of a cleartext password cannot be good practice?"
The browser is passing clear text password to WordPress, this is how username-password authentication (also called basic authentication) works.
answered Nov 15 '18 at 11:32
Yuval PapishYuval Papish
92
Thanks, surely WP is at fault? Should WP not store user credentials in the browser memory. Passwords should be encrypted or stored in salted hash format. Ref: cwe.mitre.org/data/definitions/316.html
– David.J
Nov 15 '18 at 12:07
The password is stored in the browser memory, hence the relevant application is the browser's JVM. WP is considered as an application only on the WP server. Interesting enough, PHP have exactly the same issue. The reason it is not mitigated on script language (JS, PHP) is the short life-time of a script. Java and C# have objects that holds string encrypted in their heap.
– Yuval Papish
Nov 15 '18 at 15:32
Interesting, thanks for your comments. JVM, you mean the browser memory right?
– David.J
Nov 15 '18 at 17:10
I wrote JVM but meant the rendering engine, as this is an html input and not a JS variable. The answer is still the same, it's up to the client garbage collection algorithm to clean up the memory. Btw: If you would use a multi-process browser, such as Google Chrome, you won't experience this issue when closing tab, because the relevant processes would be terminated immediately. However, this does not mean that Chrome is safer, because the same issue would happen when you'd reuse the same tab.
– Yuval Papish
Nov 17 '18 at 19:29
1
@David.J i was referring to the answer: "…this is how username-password authentication (also called basic authentication) works.". While you could call this 'a basic form of authentification', I know 'basic authentification' only in context of HTTP, and the first couple of search result pages seem to agree. WP does send credentials over HTTP, but it is not Basic Authentification.
– kubi
Nov 20 '18 at 22:37
|
show 2 more comments
"How can I prevent this from happening?"
This is not a WordPress issue, as WordPress doesn't control the client's garbage collection. The password would disappear in short time, when the JavaScript engine would be available for this task.
"the use of a cleartext password cannot be good practice?"
The browser is passing clear text password to WordPress, this is how username-password authentication (also called basic authentication) works.
answered Nov 15 '18 at 11:32
Yuval PapishYuval Papish
92
Thanks, surely WP is at fault? Should WP not store user credentials in the browser memory. Passwords should be encrypted or stored in salted hash format. Ref: cwe.mitre.org/data/definitions/316.html
– David.J
Nov 15 '18 at 12:07
The password is stored in the browser memory, hence the relevant application is the browser's JVM. WP is considered as an application only on the WP server. Interesting enough, PHP have exactly the same issue. The reason it is not mitigated on script language (JS, PHP) is the short life-time of a script. Java and C# have objects that holds string encrypted in their heap.
– Yuval Papish
Nov 15 '18 at 15:32
Interesting, thanks for your comments. JVM, you mean the browser memory right?
– David.J
Nov 15 '18 at 17:10
I wrote JVM but meant the rendering engine, as this is an html input and not a JS variable. The answer is still the same, it's up to the client garbage collection algorithm to clean up the memory. Btw: If you would use a multi-process browser, such as Google Chrome, you won't experience this issue when closing tab, because the relevant processes would be terminated immediately. However, this does not mean that Chrome is safer, because the same issue would happen when you'd reuse the same tab.
– Yuval Papish
Nov 17 '18 at 19:29
1
@David.J i was referring to the answer: "…this is how username-password authentication (also called basic authentication) works.". While you could call this 'a basic form of authentification', I know 'basic authentification' only in context of HTTP, and the first couple of search result pages seem to agree. WP does send credentials over HTTP, but it is not Basic Authentification.
– kubi
Nov 20 '18 at 22:37
|
show 2 more comments
"How can I prevent this from happening?"
This is not a WordPress issue, as WordPress doesn't control the client's garbage collection. The password would disappear in short time, when the JavaScript engine would be available for this task.
"the use of a cleartext password cannot be good practice?"
The browser is passing clear text password to WordPress, this is how username-password authentication (also called basic authentication) works.
answered Nov 15 '18 at 11:32
Yuval PapishYuval Papish
92
"How can I prevent this from happening?"
This is not a WordPress issue, as WordPress doesn't control the client's garbage collection. The password would disappear in short time, when the JavaScript engine would be available for this task.
"the use of a cleartext password cannot be good practice?"
The browser is passing clear text password to WordPress, this is how username-password authentication (also called basic authentication) works.
answered Nov 15 '18 at 11:32
Yuval PapishYuval Papish
92
answered Nov 15 '18 at 11:32
Yuval PapishYuval Papish
92
answered Nov 15 '18 at 11:32
Yuval PapishYuval Papish
92
answered Nov 15 '18 at 11:32
Yuval PapishYuval Papish
92
92
Thanks, surely WP is at fault? Should WP not store user credentials in the browser memory. Passwords should be encrypted or stored in salted hash format. Ref: cwe.mitre.org/data/definitions/316.html
– David.J
Nov 15 '18 at 12:07
The password is stored in the browser memory, hence the relevant application is the browser's JVM. WP is considered as an application only on the WP server. Interesting enough, PHP have exactly the same issue. The reason it is not mitigated on script language (JS, PHP) is the short life-time of a script. Java and C# have objects that holds string encrypted in their heap.
– Yuval Papish
Nov 15 '18 at 15:32
Interesting, thanks for your comments. JVM, you mean the browser memory right?
– David.J
Nov 15 '18 at 17:10
I wrote JVM but meant the rendering engine, as this is an html input and not a JS variable. The answer is still the same, it's up to the client garbage collection algorithm to clean up the memory. Btw: If you would use a multi-process browser, such as Google Chrome, you won't experience this issue when closing tab, because the relevant processes would be terminated immediately. However, this does not mean that Chrome is safer, because the same issue would happen when you'd reuse the same tab.
– Yuval Papish
Nov 17 '18 at 19:29
1
@David.J i was referring to the answer: "…this is how username-password authentication (also called basic authentication) works.". While you could call this 'a basic form of authentification', I know 'basic authentification' only in context of HTTP, and the first couple of search result pages seem to agree. WP does send credentials over HTTP, but it is not Basic Authentification.
– kubi
Nov 20 '18 at 22:37
|
show 2 more comments
Thanks, surely WP is at fault? Should WP not store user credentials in the browser memory. Passwords should be encrypted or stored in salted hash format. Ref: cwe.mitre.org/data/definitions/316.html
– David.J
Nov 15 '18 at 12:07
The password is stored in the browser memory, hence the relevant application is the browser's JVM. WP is considered as an application only on the WP server. Interesting enough, PHP have exactly the same issue. The reason it is not mitigated on script language (JS, PHP) is the short life-time of a script. Java and C# have objects that holds string encrypted in their heap.
– Yuval Papish
Nov 15 '18 at 15:32
Interesting, thanks for your comments. JVM, you mean the browser memory right?
– David.J
Nov 15 '18 at 17:10
I wrote JVM but meant the rendering engine, as this is an html input and not a JS variable. The answer is still the same, it's up to the client garbage collection algorithm to clean up the memory. Btw: If you would use a multi-process browser, such as Google Chrome, you won't experience this issue when closing tab, because the relevant processes would be terminated immediately. However, this does not mean that Chrome is safer, because the same issue would happen when you'd reuse the same tab.
– Yuval Papish
Nov 17 '18 at 19:29
1
@David.J i was referring to the answer: "…this is how username-password authentication (also called basic authentication) works.". While you could call this 'a basic form of authentification', I know 'basic authentification' only in context of HTTP, and the first couple of search result pages seem to agree. WP does send credentials over HTTP, but it is not Basic Authentification.
– kubi
Nov 20 '18 at 22:37
Thanks, surely WP is at fault? Should WP not store user credentials in the browser memory. Passwords should be encrypted or stored in salted hash format. Ref: cwe.mitre.org/data/definitions/316.html
– David.J
Nov 15 '18 at 12:07
Thanks, surely WP is at fault? Should WP not store user credentials in the browser memory. Passwords should be encrypted or stored in salted hash format. Ref: cwe.mitre.org/data/definitions/316.html
– David.J
Nov 15 '18 at 12:07
The password is stored in the browser memory, hence the relevant application is the browser's JVM. WP is considered as an application only on the WP server. Interesting enough, PHP have exactly the same issue. The reason it is not mitigated on script language (JS, PHP) is the short life-time of a script. Java and C# have objects that holds string encrypted in their heap.
– Yuval Papish
Nov 15 '18 at 15:32
The password is stored in the browser memory, hence the relevant application is the browser's JVM. WP is considered as an application only on the WP server. Interesting enough, PHP have exactly the same issue. The reason it is not mitigated on script language (JS, PHP) is the short life-time of a script. Java and C# have objects that holds string encrypted in their heap.
– Yuval Papish
Nov 15 '18 at 15:32
Interesting, thanks for your comments. JVM, you mean the browser memory right?
– David.J
Nov 15 '18 at 17:10
Interesting, thanks for your comments. JVM, you mean the browser memory right?
– David.J
Nov 15 '18 at 17:10
I wrote JVM but meant the rendering engine, as this is an html input and not a JS variable. The answer is still the same, it's up to the client garbage collection algorithm to clean up the memory. Btw: If you would use a multi-process browser, such as Google Chrome, you won't experience this issue when closing tab, because the relevant processes would be terminated immediately. However, this does not mean that Chrome is safer, because the same issue would happen when you'd reuse the same tab.
– Yuval Papish
Nov 17 '18 at 19:29
I wrote JVM but meant the rendering engine, as this is an html input and not a JS variable. The answer is still the same, it's up to the client garbage collection algorithm to clean up the memory. Btw: If you would use a multi-process browser, such as Google Chrome, you won't experience this issue when closing tab, because the relevant processes would be terminated immediately. However, this does not mean that Chrome is safer, because the same issue would happen when you'd reuse the same tab.
– Yuval Papish
Nov 17 '18 at 19:29
1
1
@David.J i was referring to the answer: "…this is how username-password authentication (also called basic authentication) works.". While you could call this 'a basic form of authentification', I know 'basic authentification' only in context of HTTP, and the first couple of search result pages seem to agree. WP does send credentials over HTTP, but it is not Basic Authentification.
– kubi
Nov 20 '18 at 22:37
@David.J i was referring to the answer: "…this is how username-password authentication (also called basic authentication) works.". While you could call this 'a basic form of authentification', I know 'basic authentification' only in context of HTTP, and the first couple of search result pages seem to agree. WP does send credentials over HTTP, but it is not Basic Authentification.
– kubi
Nov 20 '18 at 22:37
|
show 2 more comments
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53209772%2fwordpress-cleartext-password-stored-in-browser-memory%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What tool did u use for the export? Official browser plugin, nirsoft, etc.?
– f.overflow
Nov 12 '18 at 14:28
Hi @f.overflow, actually this can be done without any tool. In Task Manager => Applications, right click Chrome and click "Create Dump File". Open that file, and search for your WP password and it can be seen as text.
– David.J
Nov 12 '18 at 14:41