Sensitive Information Disclosure - PII - TCKN
Description
Sensitive Information Disclosure vulnerability, particularly regarding Personally Identifiable Information (PII) such as Turkish Identification Numbers (TCKN), poses a significant risk when such data is exposed without adequate protection. This vulnerability may lead to identity theft, fraud, or privacy violations for individuals whose information is compromised. To mitigate, implement robust encryption methods, access controls, and data minimization strategies to limit the exposure of sensitive data and ensure compliance with privacy regulations.
Remediation
Encrypt sensitive data in transit and at rest, applying strong cryptographic standards. Implement strict access controls and role-based permissions so that only authorized personnel or services can view TCKN or other PII. Use data masking or truncation where feasible to minimize exposure. Regularly audit code and configurations to verify that TCKNs are not accidentally logged or returned in API responses. Employ a Web Application Firewall (WAF) or intrusion detection system to monitor attempts at exfiltrating sensitive data. Maintain compliance with privacy regulations (e.g., KVKK, GDPR) by documenting how PII is collected, stored, and safeguarded, and conduct periodic reviews to detect and resolve any new disclosure points.
References
https://owasp.org/www-community/attacks/Information_exposurehttps://owasp.org/Top10/Severity
MEDIUMOwasp
Code: A02:2021
Category: Cryptographic Failures
Classification
5.3
5.3