logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Business Information Leak - Personal Information - Elixir

Need

Avoid exposure of real user's personal information stored in the source code

Context

  1. Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  2. Usage of Plug (1.12.0 and above) for building composable web application modules

Description

Insecure Code Example

defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def show(conn, %{"id" => id}) do
    user = %{id: "real_id", phone: "real_phone_number"}
    render(conn, "show.json", user: user)
  end
end

The insecure code directly uses real personal information (like ID numbers and phone numbers) within the source code. This could lead to a serious data breach, where personal information is leaked, and could be used for malicious purposes such as social engineering attacks.

Steps

  1. Never hard-code real personal information within your source code.
  2. Use environment variables or secure configuration files to store sensitive data if necessary.

Secure Code Example

defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def show(conn, %{"id" => id}) do
    user = %{id: System.get_env("USER_ID"), phone: System.get_env("PHONE_NUMBER")}
    render(conn, "show.json", user: user)
  end
end

The secure code uses environment variables instead of hard-coding the personal information. It ensures that personal information is not directly exposed in the source code, thereby preventing potential data breaches.

References

  • 226 - Business Information Leak - Personal Information

    • Last updated

    2023/09/18