Remember those tired Devs?
Well, sometimes they tend to make mistakes, as mentioned before, but imagine, writing everything important to you on a wall visible to everyone (yes, this is a Iron Maiden reference).
Imagine your E-mail password, or details of your bank account simply lying, sunbathing across the server that, with a simple few clicks, is available to anyone.
When talking about Sensitive Data Exposure or Information Disclosure we usually refer to a vulnerability today known as Cryptographic Failures which is the A2 on the OWASP Top Ten, and from its high position we understand how critical this subject.
When our information\data is exposed it means that anyone can access it, we don’t want it to happen, and why? as implied before, this data is sensitive, which means it has a certain value to the person who owns it, whether it’s sentimental or financial value, the same person will not want this information to be exposed to anyone, he wants it to be protected, it can affect and tilt entire lives.
In recent years, the Exposure of sensitive information is considered the most common, and, most influential types of attacks.
The Exposure of sensitive information can happen as a result of several reasons, for example:
- Simply not encrypting the DATA – when developing a website it’s important to save data such as: Admin passwords, usernames, code who is sensitive to injections and such under a “lock and key”, “hiding” them, so that you, and only you can reach them.
- When encrypting is employed – but using weak key generations and management, using weak algorithms and using common protocols and cipher methods.
- Hinting the keywords – to an Admin password by using a password related to the name of the app, her functions and such.
Some types of attacks :
- Directory Indexing – when a user types in a certain request for a page on a web site, the web server processes the request, searches the web document root directory for the default file name, and then sends this page to the user instead, if the server cannot find (and it won’t) the page, it will issue a directory listing and send the output in HTML format to the user which provides him a VIP ticket straight to “backstage”.
- Information Disclosure signatures – these attacks allow the attacker to “steal” digital signatures which allows him to pretend to be someone else.
In conclusion, we see that the “know thy enemy” approach works greatly for the attacker, the more he knows about a certain website, the easier it will be for him to retrieve information about it and use it for his own advantage, any thing can help him: from app versions to patch levels and so on..
So how to stop our information from being “bill-boarded” and visible to all?
Well, first, let your devs have some sleep,
Secondly, don’t write important things in places people can find, where are the times we used to keep our Club Penguin password on a small note under the pillow?
And thirdly, you can turn to the PROS,
in Kayran we will make sure hide your information, preventing it from spreading across the internet like wildfire or peanut butter on my sandwich.
As always, stay safe, choose Kayran.