Privacy violation

Description

The system violates one or more privacy requirements.

Impact

Incur in legal trouble due to a violation of user privacy.

Recommendation

Abide by the privacy regulations in force.

Threat

Unauthenticated attacker from the Iternet in the application.

Expected Remediation Time

⌚ 300 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

• Attack vector: N
• Attack complexity: L
• Privileges required: L
• User interaction: N
• Scope: U
• Confidentiality: N
• Integrity: N
• Availability: L

Temporal

• Exploit code madurity: X
• Remediation level: X
• Report confidence: X

Result

• Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:X
• Score:
  • Base: 4.3
  • Temporal: 4.3
• Severity:
  • Base: Medium
  • Temporal: Medium

Code Examples

Compliant code

The application allows for users to unsubscribe from email lists, following privacy regulations

app.get('/delete', async (req, res) => {
  try {
    const contact = await getContactByEmail(req.query.email);
    if(contact == null) throw `Contact not found.`;
    if (contact.custom_fields.conf_num ==  req.query.conf_num) {
      const listID = await getListID('Newsletter Subscribers');
      await deleteContactFromList(listID, contact);
      res.render('message', { message: 'mymessage' });
    }
  else throw 'Confirmation number does not match or contact is not subscribed'
  }
  catch(error) {
    console.error(error)
    res.render('message', { message: 'mymessage' })
  }
});

Non compliant code

The application does not have proper functionality to unsubscribe from email notifications

app.post('/unsubscribe', async (req, res) => {
  res.redirect("/suscription");
});

Requirements

• 189. Specify the purpose of data collection
• 310. Request user consent
• 311. Demonstrate user consent
• 312. Allow user consent revocation
• 313. Inform inability to identify users
• 314. Provide processing confirmation
• 315. Provide processed data information
• 316. Allow rectification requests
• 317. Allow erasure requests
• 318. Notify third parties of changes
• 343. Respect the Do Not Track header

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.