226 – Business information leak - Personal Information

Description

Real user information such as real ID numbers and phone numbers are being stored in the source code.

Impact

Obtain personal information from the user of the application in order to use it in different attacks such as social engineering, among others.

Recommendation

Personal information should not be exposed in the source code, and in case it is necessary, the data used should not correspond to reality.

Threat

Attacker with access to the applications source code.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 176 - Restrict system objects
• 177 - Avoid caching and temporary files
• 180 - Use mock data
• 261 - Avoid exposing sensitive information
• 300 - Mask sensitive data

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Python
• Scala
• Typescript

Last updated

2024/02/16