User Password Persisted In Memory

User Password Persisted in Memory

Overview of the Vulnerability

The user’s password is kept in memory after the application has ceased utilizing it. An attacker can abuse this to read the user password in memory and login as the user, impersonate them, or make requests on their behalf.

Business Impact

This vulnerability can lead to reputational damage for the business due to a loss in confidence and trust by users.

Steps to Reproduce

1. Utilize some software that allows computer memory to be accessed in a human-readable format

2. Log in to the application

3. Navigate to {{url}} and perform {{action}}

4. Cease using the application

5. Using the computer memory viewer, view the password of the user that remained in memory after use

Proof of Concept (PoC)

You can observe the plaintext password that remained in memory after utilization below:

{{screenshot}}

Recommendation(s)

Passwords should be removed from memory once the application has ceased using it to authenticate the user.