Security Issues Caused by Sensitive Information Being Stored Locally
Quite often as part of security testing, you use a hex editor to see how an application is storing sensitive information, such as passwords, in memory. When using Firefox and Internet Explorer, you can use a hex editor, such as WinHex, to search the active memory in these programs and frequently find user ID and password combinations.
With Internet Explorer this information is kept in memory even after browsing to several other websites or logging out of the application. This memory usage feature poses a security risk on the local system if another user accesses the computer or if the system is infected with malware that can search system memory for sensitive information.
The way browsers store sensitive information in memory is also bad news if an application error or system memory dump occurs and the user ends up sending the information to Microsoft (or another browser vendor) for QA purposes. It’s also bad news if the information is written to a dump file on the local hard drive and sits there for someone to find.
Try searching for sensitive information stored in memory related on your web application(s) or on standalone programs that require authentication. You just might be surprised at the outcome. Outside of obfuscating or encoding the login credentials, there’s unfortunately not a great fix because this “feature” is part of the web browser that developers can’t really control.
A similar security feature occurs on the client side when HTTP GET requests rather than HTTP POST requests are used to process sensitive information. The following is an example of a vulnerable GET request:
GET requests are often stored in the user’s web browser history file, web server log files, and proxy log files. GET requests can be transmitted to third-party sites via the HTTP Referer field when the user browses to a third-party site. All of the above can lead to exposure of login credentials and unauthorized web application access.
The lesson: Don’t use HTTP GET requests for logins. Use HTTP POST requests instead. If anything, consider these vulnerabilities to be a good reason to encrypt the hard drives of your laptops and other computers that are not physically secure!