Passwords are getting saved in dump file on user login even after the encryption
Hi folks, We have an application in angular 10 and the issue is once the user tries to login by entering email and password, the password is getting saved in the browser's dump you can view the file in hex editor. This is a security threat for the application. We have used crypto-js and does an encryption on the client's end and also I can see the encrypted password coming on the backend. So I need the help why this is happening and how this can be remediate.
Wszystkie odpowiedzi (4)
I am not creating O/S dump files. I have an application built in Angular 10 it has a login page. When I run this application on firefox browser and enter password and then go to Task Manager and right click and create a dump file, it will store that file in a temp location in my OS. When I am trying to open this file using HexEditor and search for my password I found it there. So my question is why firefox dump is capturing the user's Password. If you want to test this take an example of Gmail login into your gmail account, then create a dump of the firefox browser from task manager and open the file in hex editor and then search for your gmail password. You will notice that the browser is capturing your password but why browser is doing this, it is a security concern for my application??
Zmodyfikowany przez basantanimohit1312 w dniu
Could you file a bug report on https://bugzilla.mozilla.org/
@Dropa I am sure you have not understood what my question is? Let me explain you in more simple words and please follow the attached screenshots. I hope if you follow screenshots you will able to understand my question. 1. I have opened firefox browser on my machine. And entered the URL of my demo app http://localhost:4200 2. I have entered the email and password credentials for login and clicked submit button 3. Then I opened the task manager and from there I created a dump file. 4. I opened this file in the Neo HexEditor and searched for the password I entered above and this password was got captured by firefox browser's dump file.
So Why Firefox is saving these passwords in dump files this is a security threat?
Images Zip can't be uploaded in here can anyone suggest how should I do that?
basantanimohit1312 said
So Why Firefox is saving these passwords in dump files this is a security threat?
I think the dump files you create from Task Manager capture the contents of the process's memory. So in my mind, the question is why Firefox is storing logins in plain text in memory rather than encrypting them in some manner. Now, it could be that the encryption key also would need to be in the same process's memory so it wouldn't be much of a gain to encrypt the login, but maybe it's better than nothing?