UserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36

Steps to reproduce the problem:
We have identified that sensitive data entered in the browser remains in clear-text in memory, even after the data has been sent to the server and the tab has been closed by the user.

How to reproduce:
1. Use the browser to submit sensitive information to a web server, i.e. logging into a Google account

2. Close the tab in which the logging was done.

3. Create a memory dump and search through the memory for sensitive POST requests (i.e. by looking for the "username" "password" parameter names).

What is the expected behavior?
We expected sensitive data to be overwritten the moment the request had been sent to the server, or at the latest when the browser tab was closed.

What went wrong?
Going forward, we recommend to mitigate this issue by ensuring that you overwrite sensitive data from memory with zeroes as soon as possible, to prevent even free'd sensitive data from remaining available in memory. Generally, this can be done after the data has been sent to the server. 

Did this work before? N/A 

Chrome version: 51.0.2704.106  Channel: stable
OS Version: 6.3
Flash Version: Shockwave Flash 22.0 r0

We built a Volatility plugin to easily harvest clear-text credentials from a memory dump. However, even simply grepping the memory dump for entered credentials should be sufficient to reproduce the issue on your end.

We have submitted this research to the BruCON security conference, which accepted it. We will thus present the theoretical issue, as well as open-source the Volatility plugin at the end of October 2016. We thus hereby inform you more than three months in advance of the problem, in the hope that you can resolve it by then.