Skip to content

Commit f60a9ea

Browse files
RRudderRRudder
authored
Merge pull request #559 from bugcrowd/RRudder-patch-3
Update wording of PII exposure
2 parents ce043d5 + a36b192 commit f60a9ea

File tree

1 file changed

+5
-5
lines changed
  • submissions/description/sensitive_data_exposure/disclosure_of_secrets/pii_leakage_exposure

1 file changed

+5
-5
lines changed

submissions/description/sensitive_data_exposure/disclosure_of_secrets/pii_leakage_exposure/template.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,18 @@
1-
Personally Identifiable Information (PII) exposure can occur when sensitive data is not encrypted, or behind an authorization barrier. When PII is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, SSL not being used for authenticated pages, or passwords being stored using unsalted hashes. Examples of such data include, but are not limited to: Social Security Numbers (SSN), medical data, banking information, and login credentials.
1+
Personally Identifiable Information (PII) can be disclosed by the application due to failing authentication, authorization, or encryption controls. An attacker can abuse this exposed PII to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors. This can further lead to identity theft, fraud, and legal non-compliance (e.g., GDPR, CCPA, HIPAA violations).
22

3-
Sensitive data relating to the business was exposed. This data could be exfiltrated and used by an attacker to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors.
3+
Personally Identifiable Information (PII) refers to any data that can be used to identify a specific individual, including, but not limited to, full names, addresses, phone numbers, email addresses, government-issued IDs, financial information.
44

55
**Business Impact**
66

7-
Leakage or exposure of PII can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application.
7+
Leakage or exposure of PII can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust, as well as legal non-compliance (e.g., GDPR, CCPA, HIPAA violations). The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application.
88

99
**Steps to Reproduce**
1010

1111
1. Use a browser to navigate to: {{url}}/data/
12-
1. Observe that secrets are being disclosed
12+
1. Observe that PII are being disclosed
1313

1414
**Proof of Concept (PoC)**
1515

16-
The screenshots below displays the PII disclosed:
16+
The screenshot(s) below demonstrate(s) the vulnerability:
1717

1818
{{screenshot}}

0 commit comments

Comments
 (0)