Privacy Violation| ID: 359 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Class |
Description
Mishandling private information, such as customer passwords or
social security numbers, can compromise user privacy and is often
illegal.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
- Operation
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Confidentiality | Read application
data | |
Detection MethodsNone
Potential MitigationsNone
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-359 ChildOf CWE-907 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code contains a logging statement that tracks the
contents of records added to a database by storing them in a log file. Among
other values that are stored, the getPassword() function returns the
user-supplied plaintext password associated with the account.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| 7 Pernicious Kingdoms | | Privacy Violation | |
| CERT Java Secure Coding | FIO13-J | Do not log sensitive information outside a trust
boundary | |
References:
- J. Oates .AOL man pleads guilty to selling 92m email
addies. The Register. Published on 2005.
- U.S. Department of Commerce .Safe Harbor Privacy Framework.
- Federal Trade Commission .Financial Privacy: The Gramm-Leach Bliley Act
(GLBA).
- U.S. Department of Human Services .Health Insurance Portability and Accountability Act
(HIPAA).
- Government of the State of California .California SB-1386. Published on 2002.
- Information Technology Laboratory, National Institute of
Standards and Technology .SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC
MODULES. 2001-05-25.
