Unnecessary Data Collection
Unnecessary Data Collection
Overview of the Vulnerability
Unnecessary data collection is where an application collects user or user device data that is not necessary for the functionality of the application. If an attacker were to gain access to this collected information they could perform further attacks on the application, the business, or its users.
Business Impact
This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust.
Steps to Reproduce
Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Use a browser to navigate to: {{URL}}
Observe in the HTTP interception proxy that unnecessary data is being collected
Proof of Concept (PoC)
Below is a screenshot demonstrating that unnecessary data collection:
{{screenshot}}
Guidance
Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature. For unnecessary data collection, please post a screenshot from a HTTP interception proxy that shows data collection that is extraneous or unnecessary.
Envision how this data could be used to perform malicious actions if obtained by an attacker. If a malicious action is possible, provide a full Proof of Concept (PoC).
Recommendation(s)
It is recommended to reduce the amount of data collected of end users and their devices.
Last updated