Disclosure of Known Public Information
Sensitive Data Exposure: Disclosure of Known Public Information
Overview of the Vulnerability
Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This can occur due to a variety of scenarios such as not encrypting data, secrets committed to GitHub within public repositories, or exposed internal assets.
Known public information is disclosed by this application which can be used by an attacker to build a profile of the business, the application, and its users for further attacks.
Business Impact
Disclosure of known public information can result in reputational damage for the business through an attacker’s ability to impact customers' trust through further attack methods, such as social engineering.
Steps to Reproduce
Use a browser to navigate to: {{url}}
Observe that publicly known information is being disclosed
Proof of Concept (PoC)
The screenshots below displays the publicly known information disclosed:
{{screenshot}}
Recommendation(s)
It is recommended to encrypt sensitive data, including secrets, both when at rest and when in transit. All data that is processed, stored, and transmitted by the application should be classified by business need, regulatory and industry requirements, and appropriate privacy laws.
Additionally, it is best practice to not store sensitive data when it is no longer required, as data that is not retained cannot be accessed and used maliciously. All sensitive data including secrets should therefore be a part of a regularly reviewed maintenance cycle. This review cycle should include rotation of secrets.
For more information refer to Open Web Application Security Project (OWASP) guide relating to this vulnerability: https://owasp.org/www-project-proactive-controls/v3/en/c8-protect-data-everywhere
Last updated