-
Notifications
You must be signed in to change notification settings - Fork 45
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Moved PII Leakage to Sensitive Data Exposure category
Also update Automotive category's sensitive data exposure write up. All as per the VRT update in 361 - bugcrowd/vulnerability-rating-taxonomy#361
- Loading branch information
Showing
6 changed files
with
57 additions
and
20 deletions.
There are no files selected for viewing
20 changes: 0 additions & 20 deletions
20
...ption/automotive_security_misconfiguration/infotainment/pii_leakage/template.md
This file was deleted.
Oops, something went wrong.
File renamed without changes.
20 changes: 20 additions & 0 deletions
20
...urity_misconfiguration/infotainment/sensitive_data_leakage_exposure/template.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # Sensitive Data Leakage Exposure | ||
|
|
||
| ## Overview of the Vulnerability | ||
|
|
||
| The In-Vehicle Infotainment (IVI) system is a the central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. The IVI system leaks sensitive data, allowing an attacker to collect this sensitive data via logs and user configurations within the underlying IVI interface. | ||
|
|
||
| ## Business Impact | ||
|
|
||
| Sensitive data that is accessible from within the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. Additionally, the impact is further enhanced by the impact of the business having to respond, notify, and recover from a potential data breach if an attacker is successful in exfiltrating PII. | ||
|
|
||
| ## Steps to Reproduce | ||
|
|
||
| 1. Power on {{target}} by {{action}} | ||
| 1. Use {{application}} and notice that the data is stored/transmitted by {{application}} in an insecure manner | ||
|
|
||
| ## Proof of Concept (PoC) | ||
|
|
||
| The image(s) below demonstrates how and where to find the sensitive data on the vulnerable system: | ||
|
|
||
| {{screenshot}} |
7 changes: 7 additions & 0 deletions
7
submissions/description/sensitive_data_exposure/pii_leakage_exposure/guidance.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| # Guidance | ||
|
|
||
| Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. | ||
|
|
||
| For leakage or exposure of PII, do not access any more data than needed to indicate PII for reporting purposes. Accessing data PII can lead to legal consequences. Try to take a screenshot of the data that is being exposed and redact sensitive information. For example, fuzz out all but the first letters/digits of PII within your PoC. | ||
|
|
||
| Describe the impact of the sensitive data being exposed, do your best to describe what the impact for this data may be to the company. |
8 changes: 8 additions & 0 deletions
8
...ons/description/sensitive_data_exposure/pii_leakage_exposure/recommendations.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Recommendation(s) | ||
|
|
||
| It is recommended to encrypt sensitive data, including PII, both when at rest and when in transit. All data that is processed, stored, and transmitted by the application should be classified by business need, regulatory and industry requirements, and appropriate privacy laws. | ||
|
|
||
| Additionally, it is best practice to not store sensitive data when it is no longer required, as data that is not retained cannot be accessed and used maliciously. All sensitive data including secrets should therefore be a part of a regularly reviewed maintenance cycle. This review cycle should include rotation of secrets. | ||
|
|
||
| For more information refer to Open Web Application Security Project (OWASP) guide relating to this vulnerability: | ||
| <https://owasp.org/www-project-proactive-controls/v3/en/c8-protect-data-everywhere> |
22 changes: 22 additions & 0 deletions
22
submissions/description/sensitive_data_exposure/pii_leakage_exposure/template.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # PII Leakage/Exposure | ||
|
|
||
| ## Overview of the Vulnerability | ||
|
|
||
| Personally Identifiable Information (PII) exposure can occur when sensitive data is not encrypted, or behind an authorization barrier. When PII is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, SSL not being used for authenticated pages, or passwords being stored using unsalted hashes. Examples of such data include, but are not limited to: Social Security Numbers (SSN), medical data, banking information, and login credentials. | ||
|
|
||
| Sensitive data relating to the business was exposed. This data could be exfiltrated and used by an attacker to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors. | ||
|
|
||
| ## Business Impact | ||
|
|
||
| Leakage or exposure of PII can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. | ||
|
|
||
| ## Steps to Reproduce | ||
|
|
||
| 1. Use a browser to navigate to: {{url}}/data/ | ||
| 1. Observe that secrets are being disclosed | ||
|
|
||
| ## Proof of Concept (PoC) | ||
|
|
||
| The screenshots below displays the PII disclosed: | ||
|
|
||
| {{screenshot}} |