Cleartext Storage of Sensitive Information in Memory - VPN and Password managers
-
DoctorG Ambassador
German IT-Sec company tested VPN and Password managers.
Result:
"sensitive memory might be saved to disk, stored in a core dump, or remain uncleared if the product crashes, or if the programmer does not properly clear the memory before freeing it."
– https://cwe.mitre.org/data/definitions/316.html
Example: coredumps from crashes may contain sensible information like unencrypted passwords.
More at:
https://www.secuvera.de/blog/studie-klartextpassworter-in-passwortspeichern/
https://www.heise.de/news/Schwere-Luecke-bei-kritischen-Anwendungen-Klartextpasswoerter-im-Prozessspeicher-9830774.html