Sensitive Information Disclosure - PII - Credit Card Number
Description
Sensitive Information Disclosure vulnerability occurs when personally identifiable information (PII) such as credit card numbers is exposed to unauthorized parties due to inadequate security measures. This can lead to identity theft, financial fraud, and breaches of privacy. To prevent such vulnerabilities, it's essential to implement robust encryption methods, enforce strict access controls, and regularly audit systems for any potential weaknesses.
Remediation
Encrypt credit card numbers at rest (e.g., using AES-256) and in transit (e.g., TLS 1.2 or higher). Enforce strict role-based access controls so that only authorized personnel or services can view or process cardholder data. Consider using tokenization or hashing to minimize direct storage of raw card numbers. Regularly audit logs, code, and infrastructure configurations to ensure no plain-text credit card data is inadvertently logged or exposed. Employ a Web Application Firewall (WAF) or intrusion detection system to detect and block suspicious traffic targeting card data, and maintain compliance with PCI DSS or other relevant standards to ensure robust handling of sensitive financial information.
References
https://owasp.org/www-community/attacks/Information_exposurehttps://owasp.org/Top10/https://www.pcisecuritystandards.org/Severity
MEDIUMOwasp
Code: A02:2021
Category: Cryptographic Failures
Classification
5.3
5.3