Skip to main content

Business information leak - Personal Information

Description

Real user information such as real ID numbers and phone numbers are being stored in the source code.

Impact

Obtain personal information from the user of the application in order to use it in different attacks such as social engineering, among others.

Recommendation

Personal information should not be exposed in the source code, and in case it is necessary, the data used should not correspond to reality.

Threat

Attacker with access to the applications source code.

Expected Remediation Time

โŒš 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 3.1
    • Temporal: 3.1
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

Sensitive information should be encrypted and stored in a database only accessed with admin privileges

resource "db_storage_rules" "name" {
resource_group_name = db_resource_group.test.name
storage_account_name = db_storage_account.test.name
default_action = "Deny"
}

Non compliant code

There is a file in the source code that stores the employee information

Employees {
ids {
name: "index.html";
phone: "localhost:4446 ssl";
role: "admin";
government_id = "1234095";
}
}

Requirements