WordPress Cleartext Password Stored In Browser Memory










-2















I have been performing penetration testing on a stock WordPress install. A persistence concern I see is that WP stores cleartext passwords within the browser memory.



To reproduce:



  1. Login to WordPress and then log back out. Close that particular tab,
    but keep Chrome open.


  2. Create a dump file of the browser memory.


  3. Open the dump file and search for the password, you will then see it present in clear text.


How can I prevent this from happening?



Regardless of the context of someone actually viewing the password this way, the use of a cleartext password cannot be good practice?



Ref: https://cwe.mitre.org/data/definitions/316.html










share|improve this question
























  • What tool did u use for the export? Official browser plugin, nirsoft, etc.?

    – f.overflow
    Nov 12 '18 at 14:28











  • Hi @f.overflow, actually this can be done without any tool. In Task Manager => Applications, right click Chrome and click "Create Dump File". Open that file, and search for your WP password and it can be seen as text.

    – David.J
    Nov 12 '18 at 14:41















-2















I have been performing penetration testing on a stock WordPress install. A persistence concern I see is that WP stores cleartext passwords within the browser memory.



To reproduce:



  1. Login to WordPress and then log back out. Close that particular tab,
    but keep Chrome open.


  2. Create a dump file of the browser memory.


  3. Open the dump file and search for the password, you will then see it present in clear text.


How can I prevent this from happening?



Regardless of the context of someone actually viewing the password this way, the use of a cleartext password cannot be good practice?



Ref: https://cwe.mitre.org/data/definitions/316.html










share|improve this question
























  • What tool did u use for the export? Official browser plugin, nirsoft, etc.?

    – f.overflow
    Nov 12 '18 at 14:28











  • Hi @f.overflow, actually this can be done without any tool. In Task Manager => Applications, right click Chrome and click "Create Dump File". Open that file, and search for your WP password and it can be seen as text.

    – David.J
    Nov 12 '18 at 14:41













-2












-2








-2








I have been performing penetration testing on a stock WordPress install. A persistence concern I see is that WP stores cleartext passwords within the browser memory.



To reproduce:



  1. Login to WordPress and then log back out. Close that particular tab,
    but keep Chrome open.


  2. Create a dump file of the browser memory.


  3. Open the dump file and search for the password, you will then see it present in clear text.


How can I prevent this from happening?



Regardless of the context of someone actually viewing the password this way, the use of a cleartext password cannot be good practice?



Ref: https://cwe.mitre.org/data/definitions/316.html










share|improve this question
















I have been performing penetration testing on a stock WordPress install. A persistence concern I see is that WP stores cleartext passwords within the browser memory.



To reproduce:



  1. Login to WordPress and then log back out. Close that particular tab,
    but keep Chrome open.


  2. Create a dump file of the browser memory.


  3. Open the dump file and search for the password, you will then see it present in clear text.


How can I prevent this from happening?



Regardless of the context of someone actually viewing the password this way, the use of a cleartext password cannot be good practice?



Ref: https://cwe.mitre.org/data/definitions/316.html







wordpress security browser passwords penetration-testing






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 15 '18 at 12:07







David.J

















asked Nov 8 '18 at 14:27









David.JDavid.J

571624




571624












  • What tool did u use for the export? Official browser plugin, nirsoft, etc.?

    – f.overflow
    Nov 12 '18 at 14:28











  • Hi @f.overflow, actually this can be done without any tool. In Task Manager => Applications, right click Chrome and click "Create Dump File". Open that file, and search for your WP password and it can be seen as text.

    – David.J
    Nov 12 '18 at 14:41

















  • What tool did u use for the export? Official browser plugin, nirsoft, etc.?

    – f.overflow
    Nov 12 '18 at 14:28











  • Hi @f.overflow, actually this can be done without any tool. In Task Manager => Applications, right click Chrome and click "Create Dump File". Open that file, and search for your WP password and it can be seen as text.

    – David.J
    Nov 12 '18 at 14:41
















What tool did u use for the export? Official browser plugin, nirsoft, etc.?

– f.overflow
Nov 12 '18 at 14:28





What tool did u use for the export? Official browser plugin, nirsoft, etc.?

– f.overflow
Nov 12 '18 at 14:28













Hi @f.overflow, actually this can be done without any tool. In Task Manager => Applications, right click Chrome and click "Create Dump File". Open that file, and search for your WP password and it can be seen as text.

– David.J
Nov 12 '18 at 14:41





Hi @f.overflow, actually this can be done without any tool. In Task Manager => Applications, right click Chrome and click "Create Dump File". Open that file, and search for your WP password and it can be seen as text.

– David.J
Nov 12 '18 at 14:41












1 Answer
1






active

oldest

votes


















1














"How can I prevent this from happening?"



This is not a WordPress issue, as WordPress doesn't control the client's garbage collection. The password would disappear in short time, when the JavaScript engine would be available for this task.



"the use of a cleartext password cannot be good practice?"



The browser is passing clear text password to WordPress, this is how username-password authentication (also called basic authentication) works.






share|improve this answer























  • Thanks, surely WP is at fault? Should WP not store user credentials in the browser memory. Passwords should be encrypted or stored in salted hash format. Ref: cwe.mitre.org/data/definitions/316.html

    – David.J
    Nov 15 '18 at 12:07











  • The password is stored in the browser memory, hence the relevant application is the browser's JVM. WP is considered as an application only on the WP server. Interesting enough, PHP have exactly the same issue. The reason it is not mitigated on script language (JS, PHP) is the short life-time of a script. Java and C# have objects that holds string encrypted in their heap.

    – Yuval Papish
    Nov 15 '18 at 15:32












  • Interesting, thanks for your comments. JVM, you mean the browser memory right?

    – David.J
    Nov 15 '18 at 17:10











  • I wrote JVM but meant the rendering engine, as this is an html input and not a JS variable. The answer is still the same, it's up to the client garbage collection algorithm to clean up the memory. Btw: If you would use a multi-process browser, such as Google Chrome, you won't experience this issue when closing tab, because the relevant processes would be terminated immediately. However, this does not mean that Chrome is safer, because the same issue would happen when you'd reuse the same tab.

    – Yuval Papish
    Nov 17 '18 at 19:29






  • 1





    @David.J i was referring to the answer: "…this is how username-password authentication (also called basic authentication) works.". While you could call this 'a basic form of authentification', I know 'basic authentification' only in context of HTTP, and the first couple of search result pages seem to agree. WP does send credentials over HTTP, but it is not Basic Authentification.

    – kubi
    Nov 20 '18 at 22:37










Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53209772%2fwordpress-cleartext-password-stored-in-browser-memory%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














"How can I prevent this from happening?"



This is not a WordPress issue, as WordPress doesn't control the client's garbage collection. The password would disappear in short time, when the JavaScript engine would be available for this task.



"the use of a cleartext password cannot be good practice?"



The browser is passing clear text password to WordPress, this is how username-password authentication (also called basic authentication) works.






share|improve this answer























  • Thanks, surely WP is at fault? Should WP not store user credentials in the browser memory. Passwords should be encrypted or stored in salted hash format. Ref: cwe.mitre.org/data/definitions/316.html

    – David.J
    Nov 15 '18 at 12:07











  • The password is stored in the browser memory, hence the relevant application is the browser's JVM. WP is considered as an application only on the WP server. Interesting enough, PHP have exactly the same issue. The reason it is not mitigated on script language (JS, PHP) is the short life-time of a script. Java and C# have objects that holds string encrypted in their heap.

    – Yuval Papish
    Nov 15 '18 at 15:32












  • Interesting, thanks for your comments. JVM, you mean the browser memory right?

    – David.J
    Nov 15 '18 at 17:10











  • I wrote JVM but meant the rendering engine, as this is an html input and not a JS variable. The answer is still the same, it's up to the client garbage collection algorithm to clean up the memory. Btw: If you would use a multi-process browser, such as Google Chrome, you won't experience this issue when closing tab, because the relevant processes would be terminated immediately. However, this does not mean that Chrome is safer, because the same issue would happen when you'd reuse the same tab.

    – Yuval Papish
    Nov 17 '18 at 19:29






  • 1





    @David.J i was referring to the answer: "…this is how username-password authentication (also called basic authentication) works.". While you could call this 'a basic form of authentification', I know 'basic authentification' only in context of HTTP, and the first couple of search result pages seem to agree. WP does send credentials over HTTP, but it is not Basic Authentification.

    – kubi
    Nov 20 '18 at 22:37















1














"How can I prevent this from happening?"



This is not a WordPress issue, as WordPress doesn't control the client's garbage collection. The password would disappear in short time, when the JavaScript engine would be available for this task.



"the use of a cleartext password cannot be good practice?"



The browser is passing clear text password to WordPress, this is how username-password authentication (also called basic authentication) works.






share|improve this answer























  • Thanks, surely WP is at fault? Should WP not store user credentials in the browser memory. Passwords should be encrypted or stored in salted hash format. Ref: cwe.mitre.org/data/definitions/316.html

    – David.J
    Nov 15 '18 at 12:07











  • The password is stored in the browser memory, hence the relevant application is the browser's JVM. WP is considered as an application only on the WP server. Interesting enough, PHP have exactly the same issue. The reason it is not mitigated on script language (JS, PHP) is the short life-time of a script. Java and C# have objects that holds string encrypted in their heap.

    – Yuval Papish
    Nov 15 '18 at 15:32












  • Interesting, thanks for your comments. JVM, you mean the browser memory right?

    – David.J
    Nov 15 '18 at 17:10











  • I wrote JVM but meant the rendering engine, as this is an html input and not a JS variable. The answer is still the same, it's up to the client garbage collection algorithm to clean up the memory. Btw: If you would use a multi-process browser, such as Google Chrome, you won't experience this issue when closing tab, because the relevant processes would be terminated immediately. However, this does not mean that Chrome is safer, because the same issue would happen when you'd reuse the same tab.

    – Yuval Papish
    Nov 17 '18 at 19:29






  • 1





    @David.J i was referring to the answer: "…this is how username-password authentication (also called basic authentication) works.". While you could call this 'a basic form of authentification', I know 'basic authentification' only in context of HTTP, and the first couple of search result pages seem to agree. WP does send credentials over HTTP, but it is not Basic Authentification.

    – kubi
    Nov 20 '18 at 22:37













1












1








1







"How can I prevent this from happening?"



This is not a WordPress issue, as WordPress doesn't control the client's garbage collection. The password would disappear in short time, when the JavaScript engine would be available for this task.



"the use of a cleartext password cannot be good practice?"



The browser is passing clear text password to WordPress, this is how username-password authentication (also called basic authentication) works.






share|improve this answer













"How can I prevent this from happening?"



This is not a WordPress issue, as WordPress doesn't control the client's garbage collection. The password would disappear in short time, when the JavaScript engine would be available for this task.



"the use of a cleartext password cannot be good practice?"



The browser is passing clear text password to WordPress, this is how username-password authentication (also called basic authentication) works.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 15 '18 at 11:32









Yuval PapishYuval Papish

92




92












  • Thanks, surely WP is at fault? Should WP not store user credentials in the browser memory. Passwords should be encrypted or stored in salted hash format. Ref: cwe.mitre.org/data/definitions/316.html

    – David.J
    Nov 15 '18 at 12:07











  • The password is stored in the browser memory, hence the relevant application is the browser's JVM. WP is considered as an application only on the WP server. Interesting enough, PHP have exactly the same issue. The reason it is not mitigated on script language (JS, PHP) is the short life-time of a script. Java and C# have objects that holds string encrypted in their heap.

    – Yuval Papish
    Nov 15 '18 at 15:32












  • Interesting, thanks for your comments. JVM, you mean the browser memory right?

    – David.J
    Nov 15 '18 at 17:10











  • I wrote JVM but meant the rendering engine, as this is an html input and not a JS variable. The answer is still the same, it's up to the client garbage collection algorithm to clean up the memory. Btw: If you would use a multi-process browser, such as Google Chrome, you won't experience this issue when closing tab, because the relevant processes would be terminated immediately. However, this does not mean that Chrome is safer, because the same issue would happen when you'd reuse the same tab.

    – Yuval Papish
    Nov 17 '18 at 19:29






  • 1





    @David.J i was referring to the answer: "…this is how username-password authentication (also called basic authentication) works.". While you could call this 'a basic form of authentification', I know 'basic authentification' only in context of HTTP, and the first couple of search result pages seem to agree. WP does send credentials over HTTP, but it is not Basic Authentification.

    – kubi
    Nov 20 '18 at 22:37

















  • Thanks, surely WP is at fault? Should WP not store user credentials in the browser memory. Passwords should be encrypted or stored in salted hash format. Ref: cwe.mitre.org/data/definitions/316.html

    – David.J
    Nov 15 '18 at 12:07











  • The password is stored in the browser memory, hence the relevant application is the browser's JVM. WP is considered as an application only on the WP server. Interesting enough, PHP have exactly the same issue. The reason it is not mitigated on script language (JS, PHP) is the short life-time of a script. Java and C# have objects that holds string encrypted in their heap.

    – Yuval Papish
    Nov 15 '18 at 15:32












  • Interesting, thanks for your comments. JVM, you mean the browser memory right?

    – David.J
    Nov 15 '18 at 17:10











  • I wrote JVM but meant the rendering engine, as this is an html input and not a JS variable. The answer is still the same, it's up to the client garbage collection algorithm to clean up the memory. Btw: If you would use a multi-process browser, such as Google Chrome, you won't experience this issue when closing tab, because the relevant processes would be terminated immediately. However, this does not mean that Chrome is safer, because the same issue would happen when you'd reuse the same tab.

    – Yuval Papish
    Nov 17 '18 at 19:29






  • 1





    @David.J i was referring to the answer: "…this is how username-password authentication (also called basic authentication) works.". While you could call this 'a basic form of authentification', I know 'basic authentification' only in context of HTTP, and the first couple of search result pages seem to agree. WP does send credentials over HTTP, but it is not Basic Authentification.

    – kubi
    Nov 20 '18 at 22:37
















Thanks, surely WP is at fault? Should WP not store user credentials in the browser memory. Passwords should be encrypted or stored in salted hash format. Ref: cwe.mitre.org/data/definitions/316.html

– David.J
Nov 15 '18 at 12:07





Thanks, surely WP is at fault? Should WP not store user credentials in the browser memory. Passwords should be encrypted or stored in salted hash format. Ref: cwe.mitre.org/data/definitions/316.html

– David.J
Nov 15 '18 at 12:07













The password is stored in the browser memory, hence the relevant application is the browser's JVM. WP is considered as an application only on the WP server. Interesting enough, PHP have exactly the same issue. The reason it is not mitigated on script language (JS, PHP) is the short life-time of a script. Java and C# have objects that holds string encrypted in their heap.

– Yuval Papish
Nov 15 '18 at 15:32






The password is stored in the browser memory, hence the relevant application is the browser's JVM. WP is considered as an application only on the WP server. Interesting enough, PHP have exactly the same issue. The reason it is not mitigated on script language (JS, PHP) is the short life-time of a script. Java and C# have objects that holds string encrypted in their heap.

– Yuval Papish
Nov 15 '18 at 15:32














Interesting, thanks for your comments. JVM, you mean the browser memory right?

– David.J
Nov 15 '18 at 17:10





Interesting, thanks for your comments. JVM, you mean the browser memory right?

– David.J
Nov 15 '18 at 17:10













I wrote JVM but meant the rendering engine, as this is an html input and not a JS variable. The answer is still the same, it's up to the client garbage collection algorithm to clean up the memory. Btw: If you would use a multi-process browser, such as Google Chrome, you won't experience this issue when closing tab, because the relevant processes would be terminated immediately. However, this does not mean that Chrome is safer, because the same issue would happen when you'd reuse the same tab.

– Yuval Papish
Nov 17 '18 at 19:29





I wrote JVM but meant the rendering engine, as this is an html input and not a JS variable. The answer is still the same, it's up to the client garbage collection algorithm to clean up the memory. Btw: If you would use a multi-process browser, such as Google Chrome, you won't experience this issue when closing tab, because the relevant processes would be terminated immediately. However, this does not mean that Chrome is safer, because the same issue would happen when you'd reuse the same tab.

– Yuval Papish
Nov 17 '18 at 19:29




1




1





@David.J i was referring to the answer: "…this is how username-password authentication (also called basic authentication) works.". While you could call this 'a basic form of authentification', I know 'basic authentification' only in context of HTTP, and the first couple of search result pages seem to agree. WP does send credentials over HTTP, but it is not Basic Authentification.

– kubi
Nov 20 '18 at 22:37





@David.J i was referring to the answer: "…this is how username-password authentication (also called basic authentication) works.". While you could call this 'a basic form of authentification', I know 'basic authentification' only in context of HTTP, and the first couple of search result pages seem to agree. WP does send credentials over HTTP, but it is not Basic Authentification.

– kubi
Nov 20 '18 at 22:37



















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53209772%2fwordpress-cleartext-password-stored-in-browser-memory%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







這個網誌中的熱門文章

How to read a connectionString WITH PROVIDER in .NET Core?

Node.js Script on GitHub Pages or Amazon S3

Museum of Modern and Contemporary Art of Trento and Rovereto