Sensitive Information Disclosure - Bitcoin Wallet Address
Description
Sensitive Information Disclosure vulnerability occurs when a Bitcoin wallet address, which is meant to be kept private, is inadvertently exposed to unauthorized parties. This can happen through various means such as improper handling of data in web forms, APIs, or databases. To mitigate this vulnerability, developers should implement robust data handling practices, including encryption and access controls, to safeguard sensitive information like Bitcoin wallet addresses from unauthorized access or exposure.
Remediation
Do the following, at a minimum, and consult the references: * Classify data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs. * Apply controls as per the classification. * Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS–compliant tokenization or even truncation. Data that is not retained cannot be stolen. * Make sure to encrypt all sensitive data at rest. * Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management. * Encrypt all data in transit with secure protocols such as TLS, using perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and secure parameters. Enforce encryption with directives like HTTP Strict Transport Security (HSTS). * Disable caching for responses containing sensitive data. * Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt, or PBKDF2. * Verify independently the effectiveness of configuration and settings.
References
https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposurehttps://cwe.mitre.org/data/definitions/200.htmlSeverity
MEDIUMOwasp
Code: A02:2021
Category: Cryptographic Failures
Classification
5.3
5.3