It was discovered during a PEN test of an Electron application that password values remain in memory as clear text after the variables are no longer in scope. The clear-text passwords can be found by performing a memory dump of the process. Upon further testing, we found that we could recover credit numbers in memory after placing orders in websites using Chrome. It is suspected that the same behavior will be found in other browsers and Node applications. This is obviously a serious security flaw and anyone that can access a shared computer that can access memory dumps have a treasure trove of private data.
This was reported as a bug to the Chromium team but they closed it out as a feature request.
The proposal is to add a function to the language or objects similar to the delete(object.property) that will zero out the memory that was allocated by the variable or object.
As a side note, we also discovered that all network traffic that is performed via Chromium is stored in memory as clear text, even though the communications was via HTTPS. The network traffic is retained in memory to use in the Web Dev Tools - Network inspector. Our solution to that was to encrypt the private data with a public key that the site provided as part of the login page. This obscured the password so that only the web site server could decode it. However the input variable that the web form discarded remained in memory indefinitely. In our research, there is no way of disabling or clearing the network traffic recording. It appears that there is a cache that flushes the oldest request based on hitting some memory limit.