Scribd
Upload
176 views2 pages

Sensitive Data Exposure

Sensitive data exposure occurs when sensitive user data, such as banking information, health records, or personal details, are not properly protected by an application and are accessible by attackers. This vulnerability arises due to issues like weak encryption, no encryption of databases containing sensitive information, or software flaws that allow unauthorized access to protected data. Proper mitigation requires securely storing, transmitting, and encrypting sensitive data to prevent unauthorized access and use against users.

Uploaded by

Glady Gladson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
176 views2 pages

Sensitive Data Exposure

Sensitive data exposure occurs when sensitive user data, such as banking information, health records, or personal details, are not properly protected by an application and are accessible by attackers. This vulnerability arises due to issues like weak encryption, no encryption of databases containing sensitive information, or software flaws that allow unauthorized access to protected data. Proper mitigation requires securely storing, transmitting, and encrypting sensitive data to prevent unauthorized access and use against users.

Uploaded by

Glady Gladson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

SENSITIVE DATA EXPOSURE

This vulnerability arises when sensitive data of users are not protected in the proper way, an
attacker can access the sensitive data which is exposed by a vulnerable web application and use it
against the users.

DESCRIPTION

Sensitive data exposure occurs when an application, company, or other entity


inadvertently exposes personal data. Sensitive data exposure differs from a data breach, in
which an attacker accesses and steals information.

Sensitive data exposure occurs as a result of not properly protecting a database


where information is stored. This might be a result of things such as weak encryption, no
encryption, software flaws, or when someone mistakenly uploads data to an incorrect
database.

The types of sensitive data exposure are.

 Banking information: account numbers, credit card numbers.

 Health information.

 Personal information: SSN/SIN, date of birth, etc.

 User account/passwords.

CREDIT CARD ENCRYPTION

An application encrypts credit card numbers in a database using automatic database


encryption. However, this means it also decrypts this data automatically when retrieved,
allowing a SQL injection flaw to retrieve credit card numbers in clear text. The system should
have encrypted the credit card numbers using a public key, and only allowed back- end
applications to decrypt them with the private key.

USE OF UNSALTED OR SIMPLE HASHES


A password database uses unsalted or simple hashes to store everyone’s passwords.
Due to a file upload flaw in the application, an attacker gets access to the password
database. The unsalted hashes obtained can be exposed with a rainbow table of pre-
calculated hashes, exposing the passwords to the attacker. Hashes generated by simple or
fast hash functions may be cracked by GPUs, even if they were salted.

MITIGATION

 The data is never stored in clear text.

 The data is never transmitted in clear text. Example between database and server,
or over the internet.

 The algorithms used to encrypt the data are considered strong enough.

 The generation of the keys is secure.

 Browser headers are set to not cache when the sensitive data is presented to end-
user.

There are more things to look for when securing data, but what matters most is understanding
what data is considered sensitive, and make sure it is treated as such in every instance.

You might also like