The term sensitive data exposure means letting unauthorized parties access stored or transmitted sensitive information such as credit card numbers or passwords. Most major security breaches worldwide result in some kind of sensitive data exposure.

Exploiting an attack vector such as a web vulnerability is just the first step that the attacker takes. Further steps usually involve one of three goals: stealing sensitive information, planting malicious software (for example, to attack other targets or enable permanent control/spying), or escalating to other systems (where this choice repeats). Obviously, stealing sensitive information such as credit card data is the most profitable goal for the attacker and most cyberattacks are driven by money, hence sensitive data exposure is the most common attack goal.

Just like it is possible to create software with next to no vulnerabilities, it is also possible to create software that prevents the attacker from accessing sensitive information. Sensitive data exposure is caused by bad design or implementation of computer systems and software as well as misconfiguration of such systems and software.

Defining sensitive data

When you build a web application, you must clearly define what you consider to be sensitive data. While some examples are obvious, like credit card numbers, authentication credentials, or health records, others may not seem so straightforward. Even if a piece of information is to be displayed onscreen by the application, it may still be considered sensitive in transit and storage.

Any type of data that can be considered personal data or private data should be considered sensitive. This means even data such as first and last name, date of birth, or even an email address. Criminals are after such data because they can correlate personal information stolen from other sources to create profiles for identity theft.

Any data related to financials should also be considered sensitive and this does not mean just credit card numbers. For example, bank account numbers, both internal and IBAN, should also be considered sensitive as well as any transaction amounts.

Depending on the industry that your business deals in, some data may be not only considered sensitive but also covered by compliance regulations. Make sure that all that data is secured, both in transit and in storage, otherwise you will lose your compliance.

Sensitive data exposure vulnerabilities in transit

Most websites and web applications nowadays are accessible via secure SSL/TLS connections. Many go as far as enforcing such connections using HTTP strict transport security (HSTS). As a result of this, many web application designers think that it’s safe to transmit sensitive information between the client and the server using clear text.

This mindset is the primary cause of sensitive data exposure in transit. Unfortunately, despite the fact that SSL/TLS provides a high degree of protection, there are cases when a man-in-the-middle attack (MITM) on network traffic is possible. If the attacker somehow manages to access data transmitted between the web application and the user, and this data includes, for example, credit card numbers or clear text passwords, the attack ends up in sensitive data exposure.

Therefore, the best way to protect your web application against sensitive data exposure is never to transmit any sensitive data using clear text and always use cryptographic algorithms to secure them. Note that these should not be weak crypto algorithms because the attacker may store the intercepted data and later attempt to break the encryption using powerful GPUs.

Sensitive data exposure vulnerabilities in storage

Storing sensitive data securely is just as important as transmitting it securely, if not more. If an attacker exploits a vulnerability and gains access to your website or web application, for example, using an SQL injection, they may be able to access the content of your entire database. If any sensitive information is stored in the database without encryption, it’s a guaranteed leak.

When storing sensitive information, using renowned, secure, and strong encryption algorithms is even more important than in the case of transit. A weak algorithm will let the attacker quickly run brute force attacks on the stolen encrypted data and decode the original information.

In addition to strong database encryption, some types of sensitive data need extra protection. For example, passwords that are encrypted or hashed using even the strongest algorithms can be easily broken if the password itself is a weak password. Therefore, avoiding common password vulnerabilities is just as important as encryption or hashing.

Sensitive data exposure vulnerabilities in email

It is shocking to see how many businesses and institutions forget that email is not a secure channel and sensitive data should never be transmitted using this medium. Email connections between the client and the server may be encrypted but the connections between servers are usually done using plain text. The email body is not encrypted, either. And the recipient of the email has no control over how securely their email content is stored or whether it is actually destroyed when the email is deleted client-side.

If your web application sends emails, you should never send any sensitive data in emails and, instead, use the web application itself to present or accept sensitive information. For example, you should never ever send a new password via an email and instead display it for the user on a web page. An institution should also never send any personal and sensitive data in clear text over emails, which is, unfortunately, the way that many government institutions do it in many countries.

Protecting sensitive data

Sensitive data is considered important enough by OWASP (the Open Web Application Security Project) to feature it in the OWASP Top 10 as a separate category. In the 2017 edition, this category was considered the third most important common flaw. We also believe that in the upcoming 2021 OWASP Top 10 this category will only gain in importance. Therefore, you should take great care to protect your sensitive information and avoid sensitive data exposure.

Protecting your sensitive data is really easy as long as you use cryptographic algorithms in transit and in storage along with any side-measures such as, for example, proper key management (so that your keys are as safe as the data itself). In some cases, you don’t even need to transmit or store encrypted data, you can use hash algorithms. Password hashing is the most efficient way to make sure that passwords are never stolen, both in transit and in storage.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.