Sensitive Information Disclosure - MAC Address

Description

Sensitive Information Disclosure vulnerability related to MAC addresses occurs when applications or systems inadvertently expose this unique hardware identifier to unauthorized parties. This vulnerability can lead to privacy risks and potentially enable tracking or targeting of individuals based on their device's MAC address. To mitigate this risk, developers should ensure that MAC addresses are not exposed unnecessarily and implement proper access controls and encryption measures when handling this sensitive information.

Remediation

Do the following, at a minimum, and consult the references: * Classify data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs. * Apply controls as per the classification. * Don’t store sensitive data unnecessarily. Discard it as soon as possible or use tokenization or truncation. Data that is not retained cannot be stolen. * Make sure to encrypt any MAC address data at rest, using strong cryptographic standards. * Ensure up-to-date and robust algorithms, protocols, and keys are in place; use proper key management. * Encrypt all data in transit with secure protocols (e.g., TLS) that enable perfect forward secrecy (PFS) ciphers, enforce cipher prioritization by the server, and use secure parameters. Implement HTTP Strict Transport Security (HSTS) where applicable. * Disable caching for responses that contain sensitive data. * Store passwords using strong adaptive and salted hashing functions with an appropriate work factor (e.g., Argon2, scrypt, bcrypt, PBKDF2). * Independently verify the effectiveness of configuration and settings, such as via regular penetration testing or security audits.

References

Severity

Owasp

Code: A02:2021

Category: Cryptographic Failures

Classification