Sensitive Data Exposure

What is a Sensitive Data Exposure Vulnerability?

A range of vulnerabilities can be classified as Sensitive Data Exposure, with the common theme that they involve accidental exposure of sensitive information that should have been cryptographically secured.

Most commonly, vulnerable applications simply don’t encrypt sensitive data at all, storing it in a database that may be compromised by SQL injection or other types of attacks.

Another common mistake is to use weak cryptographic algorithms or keys. With the advent of powerful GPUs and ASICs, attackers are now capable of carrying out brute force attacks against weak cryptographic algorithms, such as MD5, which many considered a suitable password hashing algorithm only a few years ago.

An Example of a Vulnerability

In this example, we consider a web application that allows users to sign in and manage their data. When the user signs in, their unique ID is stored in a cryptographically secured session cookie on their computer.

When building the application, the developers used a framework that includes functionality for securely storing session data using cookies. One of the configuration options of the framework is a “secret key”. This is the key that is used to encrypt and decrypt the cookie that is stored on the users computer. In this case, the developers started out by simply setting the key to my secret key and never got around to generating a proper cryptographic key.

An attacker is looking to gain access to the private data of arbitrary users. Upon visits the web application and receiving a session cookie, the attacker runs a brute force hashing application on a powerful GPU and within a few minutes finds the key that will decrypt the cookie, my secret key. Using this key, the attacker can now generate a session cookie with another users unique ID and thus sign in as any user without knowing their password.

How To Defend Against Sensitive Data Exposure

The primary way to defend against attackers gaining access to sensitive data is through thorough review of the application code and environment. When we review applications, we focus particularly on the proper usage of secure cryptographic algorithms, safe storage of secret keys, transport security and identify any occurrences of missing cryptographic protection.

More useful information may be found at:

Let Us Review Your Software

We provide code security reviews as a service. Based on our extensive experience in the field of sofware engineering and IT security, we know how to efficiently review entire code bases and identify security critical parts of the software.

This enables us to provide our security code review service at a fixed rate per review, providing our customers a transparent, efficient and reliable process.

Simple Pricing
  • Security review of your software by experts
  • OWASP Top 10 vulnerability check
  • Security Report with recommendations
  • Invaluable insights into the state of security in your application
  • Fixed Price per Review