Skip to main content

Business information leak - Financial Information

Need

Protection of sensitive financial information from unauthorized access or disclosure

Context

  • Usage of Go 1.16 for developing high-performance applications
  • Usage of gin-gonic/gin for building web applications in Go
  • Usage of net/http for creating HTTP servers in a Node.js application

Description

Non compliant code

package main

import (
	"github.com/gin-gonic/gin"
	"net/http"
)

type BusinessInfo struct {
	Mail                  string
	PaymentReference      string
	Description           string
	TotalValue            float64
	ProductInformation    string
	CollectorsLineOfBusiness string
	PayersRole            string
}

func main() {
	r := gin.Default()

	r.GET("/business_info", func(c *gin.Context) {
		info := BusinessInfo{
			Mail:                  "[email protected]",
			PaymentReference:      "123456789",
			Description:           "Payment for product X",
			TotalValue:            500.00,
			ProductInformation:    "Product X details",
			CollectorsLineOfBusiness: "Business field",
			PayersRole:            "Customer",
		}

		c.JSON(http.StatusOK, gin.H{"info": info})
	})

	r.Run()
}

This code is a simple Go application using the Gin framework. It defines an endpoint /business_info that returns a JSON object containing sensitive business information when a GET request is made.

The BusinessInfo struct represents the business information including mail, payment reference, description, total value, product information, collector's line of business, and payer's role. This information is then exposed in the /business_info endpoint.

The vulnerability lies in the fact that this endpoint does not have any form of authentication or authorization. Any user, authenticated or not, can access this endpoint and retrieve the sensitive business information.

This can lead to a business information leak, where an attacker can obtain sensitive information such as mail, payment reference and description, total value, product information, collector's line of business, and payer's role. This information can then be used for malicious purposes such as fraud, identity theft, or other forms of financial harm.

Steps

  • Avoid exposing sensitive business information in API responses.
  • Identify the sensitive information that needs to be protected.
  • Implement proper access controls to restrict access to sensitive information.
  • Consider encrypting sensitive information to protect it from unauthorized access.
  • Implement proper authentication and authorization mechanisms to ensure only authorized users can access the sensitive information.
  • Regularly review and update the access controls and security measures to adapt to changing threats and vulnerabilities.

Compliant code

package main

import (
	"github.com/gin-gonic/gin"
	"net/http"
)

type BusinessInfo struct {
	Mail                  string
	PaymentReference      string
	Description           string
	TotalValue            float64
	ProductInformation    string
	CollectorsLineOfBusiness string
	PayersRole            string
}

func main() {
	r := gin.Default()

	r.GET("/business_info", func(c *gin.Context) {
		// Check if the user is authenticated and authorized
		if !isUserAuthenticatedAndAuthorized(c) {
			c.JSON(http.StatusUnauthorized, gin.H{"error": "Unauthorized"})
			return
		}

		info := BusinessInfo{
			Mail:                  "[email protected]",
			PaymentReference:      "123456789",
			Description:           "Payment for product X",
			TotalValue:            500.00,
			ProductInformation:    "Product X details",
			CollectorsLineOfBusiness: "Business field",
			PayersRole:            "Customer",
		}

		// Encrypt sensitive information
		encryptedInfo, err := encryptBusinessInfo(info)
		if err != nil {
			c.JSON(http.StatusInternalServerError, gin.H{"error": "Error encrypting information"})
			return
		}

		c.JSON(http.StatusOK, gin.H{"info": encryptedInfo})
	})

	r.Run()
}

func isUserAuthenticatedAndAuthorized(c *gin.Context) bool {
	// Implement your authentication and authorization logic here
	return false
}

func encryptBusinessInfo(info BusinessInfo) (string, error) {
	// Implement your encryption logic here
	return "", nil
}

The updated code includes several changes to address the vulnerability of leaking sensitive business information:

  1. Authentication and Authorization: Before providing any business information, the code now checks if the user is authenticated and authorized by calling the isUserAuthenticatedAndAuthorized function. This function should contain the logic to verify the user's identity and permissions. If the user is not authenticated or authorized, the server responds with a 401 Unauthorized status code.

  2. Encryption: The sensitive business information is now encrypted before being sent in the response. The encryptBusinessInfo function should contain the logic to encrypt the information. If there is an error during encryption, the server responds with a 500 Internal Server Error status code.

These changes ensure that only authenticated and authorized users can access the sensitive business information, and even if the information is intercepted during transmission, it will be in an encrypted form that cannot be easily deciphered.

References

Last updated on