4

Using Internet Explorer 11 I have been able to login to HTTPS web applications by providing a username and password and then subsequently logout. Whilst the browser process is running I can then dump the browser memory (for example by using WinHex) and can see the login HTTP request, including the username and password, in plain text.

Is there a configuration setting within the browser or a change that could be made to the web applications to prevent this?

Matthew Murdoch
  • 183
  • 1
  • 6
  • 1
    Unlikely. The memory is likely freed, and just hasn't been zeroed out. Since IE11 is so integrated into the Windows operating system there would have to be a change in the OS level to change that. – RoraΖ Feb 04 '16 at 13:48
  • While somewhat disconcerting, it only gives you access to your own passwords. Shutting down the machine will do a good job clearing memory. – Neil Smithline Feb 04 '16 at 14:51
  • I suspect this data is stored because of JavaScript serialized data on the login form. Please check if you are serializing your login form before submitting it in POST request. **Read more about form serialize:** https://www.w3schools.com/jquery/ajax_serialize.asp – Moolshankar Tyagi Jun 05 '17 at 12:20
  • XSS is probably more dangerous in this context. If they manage to inject a script into the browser, then they can read out the password from its memory and send it to a remote site without you knowing it. – inf3rno Oct 30 '17 at 00:58

2 Answers2

8

On a Windows machine, inspecting the memory of the IE process is limited to the owner user, and administrators. If an attacker can inspect the memory of your IE process, then that attacker has taken control of your machine and/or your account, and you are already doomed.

If the machine is "shared" then there is no really good solution: if an hostile entity can take control of the machine after you have finished using it, the same attacker could probably take control of the machine before you begin to use it, and plant a key logger, at which point your password is toast. No amount of closing/rebooting will save you. The conclusion is grim but unescapable: do NOT type passwords (or anything secret) on a shared machine.

If you are in a context where you only fear attackers who grab the machine after your usage (the "laptop theft" model), then the best you can achieve is probably to employ full-disk encryption (there are various products for that; some versions of Windows already include one called BitLocker). If you take care to shut down the machine when you are not using it, or if you mind the details about sleep/hibernation mode, then this should protect your data, including the pieces that linger in RAM.

For attackers with little competence, you could simply ensure that the IE process is dead, by closing all windows, but this would not necessarily remove all traces of the data from RAM. Your passwords may also have been written to the virtual memory file. Full-disk encryption is a more comprehensive solution.

Community
  • 1
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
-2

No, but you can hash or encrypt the password in the client prior to posting to the server. JSEncrypt works well for this. In a perfect world, Microsoft would address this via service pack.

user2368632
  • 101
  • 1