Skip to main content

Business information leak - Personal Information


Real user information such as real ID numbers and phone numbers are being stored in the source code.


Obtain personal information from the user of the application in order to use it in different attacks such as social engineering, among others.


Personal information should not be exposed in the source code, and in case it is necessary, the data used should not correspond to reality.


Attacker with access to the applications source code.

Expected Remediation Time

⌚ 60 minutes.


Default score using CVSS 3.1. It may change depending on the context of the vulnerability.


  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N


  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X


  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 3.1
    • Temporal: 3.1
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

Sensitive information should be encrypted and stored in a database only accessed with admin privileges

resource "db_storage_rules" "name" {
resource_group_name =
storage_account_name =
default_action = "Deny"

Non compliant code

There is a file in the source code that stores the employee information

Employees {
ids {
name: "index.html";
phone: "localhost:4446 ssl";
role: "admin";
government_id = "1234095";


free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.