Business information leak - Personal Information
Description
Real user information such as real ID numbers and phone numbers are being stored in the source code.
Impact
Obtain personal information from the user of the application in order to use it in different attacks such as social engineering, among others.
Recommendation
Personal information should not be exposed in the source code, and in case it is necessary, the data used should not correspond to reality.
Threat
Attacker with access to the applications source code.
Expected Remediation Time
⌚ 60 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: N
- Attack complexity: H
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: L
- Integrity: N
- Availability: N
Temporal
- Exploit code madurity: X
- Remediation level: X
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
- Score:
- Base: 3.1
- Temporal: 3.1
- Severity:
- Base: Low
- Temporal: Low
Code Examples
Compliant code
Sensitive information should be encrypted and stored in a database only accessed with admin privileges
resource "db_storage_rules" "name" {
resource_group_name = db_resource_group.test.name
storage_account_name = db_storage_account.test.name
default_action = "Deny"
}
Non compliant code
There is a file in the source code that stores the employee information
Employees {
ids {
name: "index.html";
phone: "localhost:4446 ssl";
role: "admin";
government_id = "1234095";
}
}
Requirements
- 176. Restrict system objects
- 177. Avoid caching and temporary files
- 261. Avoid exposing sensitive information
- 300. Mask sensitive data
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.