Password is stored as String

[beders]

The current library is vulnerable to memory dump inspection techniques, since credentials are stored in several places as reference to a string object. In practice this means that during the lifetime of using the ExchangeService object, the password remains on the heap, even if it is only used for NTLMScheme authenticate calls. Since you are getting a session identifier that is used afterwards, the password could be cleared from memory.

However, this is only doable if the password is stored as a char[]. Otherwise you are at the mercy of the Java GC to clean up the memory, which, due to reasons above, is not likely to happen if a service continues to hold onto an ExchangeService object.

Proposed solution: Replace all occurrences of a String password or String pwd field with a char[].

[philci52]

Its more difficult then simply replacing a String with a char[], you also have to follow that char[] and make sure that its not used anywhere that converts to a string and additionally, you have to zero out the char[] or any char[] that the password is copied into after its use, which typically needs to be in a finally block.

[beders]

Yup. Which is why I haven't given it a try yet. ;)

[hakanai]

Better authentication APIs usually let you pass a callback to provide the password at the moment you need it. That way you are getting it put into an array at exactly the moment you're about to use it, you know you can clear it immediately afterwards, and you don't ever pass the array reference to anybody else.

Actually, the built-in authentication APIs in Java do this for the username in addition to the password.