Sensitive Information Disclosure - PII - SSN
Description
Sensitive Information Disclosure vulnerability occurs when personally identifiable information (PII) such as Social Security Numbers (SSNs) is exposed due to inadequate security measures. Attackers can exploit this vulnerability to access sensitive data, leading to identity theft or fraud. Mitigation involves encrypting PII, implementing strict access controls, and regularly auditing systems for vulnerabilities.
Remediation
Encrypt SSNs at rest and in transit using strong cryptographic standards (e.g., AES-256 for data at rest, TLS 1.2+ for data in transit). Enforce strict access controls and role-based permissions so only authorized personnel or processes can view SSNs. Implement data minimization techniques, avoiding unnecessary storage of SSNs wherever possible. Log and monitor all access to sensitive fields for anomaly detection, and conduct periodic penetration tests or security audits to identify and remediate any disclosure points. Consider tokenizing or masking SSNs in logs and user interfaces to reduce the risk of accidental exposure.
References
https://owasp.org/www-community/attacks/Information_exposurehttps://owasp.org/Top10/Severity
MEDIUMOwasp
Code: A02:2021
Category: Cryptographic Failures
Classification
5.3
5.3