What is Sensitive Data Exposure?
Sensitive Data Exposure is a serious vulnerability that can compromise sensitive information in a web application. This type of vulnerability can lead to the exposure of information such as login credentials, personally identifiable information (PII), credit card data, medical history, session tokens, or other authentication credentials. It happens due to insecure storage, transmission, or processing of data. This may result in identity theft, financial fraud, legal, and reputational damage.
The Story
his vulnerability was found in NFT Music Marketplace website by an Indonesian hobbyist pentester named Aminudin.
Based on his story, Aminudin claimed that he was able to gain access to all accounts, including the database and Digitalocean API tokens, by analyzing the website’s JS files.
Aminudin began by inspecting the website’s elements, specifically the JavaScript sources, where he believed the sensitive data could be found.
He searched for keywords such as “username:”, “password:”, and “http”/”https”. Although he did not find anything on the homepage’s JS files, he found a login page for admin when searched using the “https:// ” keyword.
At first, he was unsure of what to do with the admin login page, as he did not have the username and password.
However, he quickly returned to the sources and used the keywords “username” and “password” to search for sources, and he hit the jackpot. He found the source code for Kibana and CouchDB, and discovered the usernames and passwords.
Using these credentials, he gained access to the website’s portainer where he found the private key for the Near account, git account, and the most sensitive information of all, the Digitalocean API token.
With this information, Aminudin could manage all the droplets and projects on the website, including those belonging to the owners.
Fortunately, Aminudin reported the bug, and it was confirmed and fixed in a matter of days. As a reward, Aminudin received 250 NEAR, which was worth $1080 at the time.
This incident highlights the importance of protecting sensitive data in web applications. Proper security measures should be in place to prevent unauthorized access to sensitive information, including using encrypted storage and two-factor authentication. As for Aminudin, he learned that even small acts of curiosity can lead to major discoveries, but it is important to report them to the appropriate parties.
How to Prevent Sensitive Data Exposure?
To prevent sensitive data exposure, there are several steps that can be taken:
- Use strong encryption: Ensure that sensitive data is encrypted both in transit and at rest using strong encryption algorithms.
- Implement access controls: Use access controls to limit access to sensitive data and ensure that only authorized parties have access to it. This includes role-based access control (RBAC), permission levels, and authentication and authorization mechanisms.
- Use secure network connections: Use secure network connections such as HTTPS or SSL/TLS to ensure that data transmitted over the network is encrypted and secure.
- Keep software up-to-date: Ensure that all software, frameworks, and libraries used in the application are kept up-to-date with the latest security patches and updates.
- Regularly test for vulnerabilities: Conduct regular security testing to identify vulnerabilities and weaknesses in the application, including penetration testing, vulnerability scanning, and code review.
- Educate users: Educate users on best practices for protecting their sensitive information, such as using strong passwords, avoiding public Wi-Fi networks, and being cautious of phishing scams.
Link to full write up: here
Save the PDF here