SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF)

Download | Alert*

CWE

Plaintext Storage in GUI

ID: 317		Date: (C)2012-05-14 (M)2022-10-10
Type: weakness		Status: DRAFT
Abstraction Type: Variant

Description

Storing sensitive data in plaintext within the GUI makes the data more easily accessible than if encrypted. This significantly lowers the difficulty of exploitation by attackers.

Extended Description

An attacker can often obtain data from a GUI, even if hidden, by using an API to directly access GUI objects such as windows and menus.

Applicable Platforms
Language Class: All
Operating System Class: Sometimes
Operating System Class: Windows

Time Of Introduction

Architecture and Design

Common Consequences

Scope	Technical Impact	Notes
Confidentiality	Read memory Read application data

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
		Sensitive information should not be stored in plaintext in a GUI. Even if heavy fortifications are in place, sensitive data should be encrypted to prevent the risk of losing confidentiality.

Relationships

Related CWE	Type	View	Chain
CWE-317 ChildOf CWE-895	Category	CWE-888

Demonstrative Examples
None

Observed Examples

CVE-2002-1848 : Unencrypted passwords stored in GUI dialog may allow local users to access the passwords.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
PLOVER		Plaintext Storage in GUI

References:
None


30479



423868



249461



909



195508



282