0

If you have a variable set with sensitive data:

var secretPassword = 'myPa$sW0rd';

and you overwrite it:

secretPassword = '0000000000';

Does a javascript engine allocate new memory for the new data? is the data myPa$sW0rd potentially somewhere in unallocated memory still? My main question is this: is there a way to guarantee that you overwrite the data? (ie zero it out or securely delete the data). I wonder if looping through the characters in the string and resetting them that way would do it.

I assume it's not likely you would be able to access the data without some bug in the javascript engine.

ritzz.soni
  • 335
  • 1
  • 15
Mike
  • 3
  • 4
  • 3
    Even if it is guaranteed, such low-level security is futile in javascript: what is to say nobody read or modified secretPassword before you get to it? – doldt Jun 09 '15 at 15:05
  • To understand just how futile UI level security is, create a page with a password field in it, type in a password, then, in the console, run this: `alert(document.getElementById(THE_PASSWORD_FIELD_ID).value);` – talemyn Jun 09 '15 at 15:11
  • Thanks guys, I'm not worried about those things. When you store credentials they have to be stored somewhere. I'm just thinking more about when the user is no longer authenticated or at least not at the same privilege escalation (and why keep them escalated longer than necessary). Wanted to make sure they were potentially in unallocated memory like I thought (even after resetting the variable). – Mike Jun 09 '15 at 15:33

2 Answers2

1

Does a javascript engine allocate new memory for the new data?

yes

is the data myPa$sW0rd potentially somewhere in unallocated memory still?

yes if no garbage collection cleaned it up

My main question is this: is there a way to guarantee that you overwrite the data? (ie zero it out or securely delete the data).

Not really, except if you play with the garbage collector. See related post

I wonder if looping through the characters in the string and resetting them that way would do it.

No

Edit : As pointed out by doldt, there is no real security threat even if the previous data is still somewhere in memory.

Community
  • 1
  • 1
couettos
  • 591
  • 5
  • 15
  • So are you saying that looping through and setting each character also allocates new memory? I'm actually a bit surprised about that. I'm too lazy (and maybe not *that* interested) to look at javascript engine code. – Mike Jun 09 '15 at 16:00
  • Can you maybe link to some sources or implementation details about this behaviour? – doldt Jun 09 '15 at 17:10
  • yes looping will allocate new memory. There is no need to look at javascript engine code. Just trust the spec : [link](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Memory_Management) – couettos Jun 09 '15 at 19:50
  • Thanks couettos, I see that strings are immutable. I should have googled using that word but didn't think of it. – Mike Jun 09 '15 at 22:39
0

Try to use an array of fixed size and assign 0 values to all elements on clean-up. This does not reallocate a new object.

However, it will be difficult to control where the value is passed around once you use it as a string.

Remigius Stalder
  • 1,921
  • 2
  • 26
  • 31