- CWE-22: Path Traversal
- CWE-78: OS Command Injection
- CWE-79: Cross-Site Scripting
- CWE-89: SQL Injection
- CWE-90: LDAP Injection
- CWE-91: XML Injection
- CWE-94: Code Injection
- CWE-98: PHP File Inclusion
- CWE-113: HTTP Response Splitting
- CWE-119: Buffer Errors
- CWE-130: Improper Handling of Length Parameter Inconsistency
- CWE-193: Off-by-one Error
- CWE-200: Information Exposure
- CWE-211: Information Exposure Through Externally-Generated Error Message
- CWE-236: Improper Handling of Undefined Parameters
- CWE-276: Incorrect Default Permissions
- CWE-284: Improper Access Control
- CWE-285: Improper Authorization
- CWE-287: Improper Authentication
- CWE-297: Improper Validation of Certificate with Host Mismatch
- CWE-306: Missing Authentication for Critical Function
- CWE-312: Cleartext Storage of Sensitive Information
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-352: Cross-Site Request Forgery
- CWE-384: Session Fixation
- CWE-427: Uncontrolled Search Path Element
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-476: NULL Pointer Dereference
- CWE-521: Weak Password Requirements
- CWE-601: Open Redirect
- CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
- CWE-613: Insufficient Session Expiration
- CWE-618: Exposed Unsafe ActiveX Method
- CWE-671: Lack of Administrator Control over Security
- CWE-798: Use of Hard-coded Credentials
- CWE-799: Improper Control of Interaction Frequency
- CWE-822: Untrusted Pointer Dereference
- CWE-835: Infinite Loop
- CWE-918: Server-Side Request Forgery (SSRF)
- CWE-942: Overly Permissive Cross-domain Whitelist
CWE is a trademark of the MITRE Corporation.
Cleartext Storage of Sensitive Information [CWE-312]
This weakness describes a case where sensitive information is stored in clear text in location, accessible by other users.
Created: June 11, 2018
Table of Content
- Potential impact
- Attack patterns
- Affected software
- Severity and CVSS Scoring
- Vulnerability Remediation Techniques and Examples
The weakness occurs when application stores valuable information in an unencrypted storage. If the attacker is able to gain access to the storage, the application’s data will get compromised.
This is a typical case of storing access credentials (such as tokens) in a cleartext file or other sensitive data in an unencrypted SQLite database on mobile devices. If the attacker gets physical access to the device or tricks the victim to install a malicious app, it would be possible to extract valuable information.
2. Potential impact
The attacker with ability to access unencrypted storage can read, modify or delete sensitive information.
3. Attack patterns
The following attack patterns can be used to exploit cleartext storage of sensitive information according to CAPEC (Common Attack Pattern Enumeration and Classification) classification:
- CAPEC-37: Retrieve Embedded Sensitive Data
- CAPEC-65: Sniff Application Code
- CAPEC-167: White Box Reverse Engineering
4. Affected software
This vulnerability is mostly related to software that locally stores sensitive information in the environment that can be accessed by unauthorized parties. This weakness is often detected in mobile applications.
5. Severity and CVSS Scoring
In most cases the vulnerability can be exploited with physical or local access to the affected application. Therefore, the CVSS score for this vulnerability is usually as follows:
This vulnerability is usually introduced to the application during the architecture and design phase. In most cases it is impossible to mitigate this vulnerability without modification of the application source code.
7. Vulnerability Remediation Techniques and Examples
As this vulnerability is most common for mobile applications, we will provide recommendations how to secure data on mobile devices. Depending on which data needs to be secured the following solutions are available:
If the application uses access credentials to authenticate against a remote instance, it is crucial for the application security to encrypt those credentials or use multiple authentication layers. For example, you can use fingerprint scanner as unique key to decrypt data or ask the user to provide additional password.
It is strongly recommended to use SQLCipher or similar extension to encrypt application database on your mobile device.
- CWE-311: Missing Encryption of Sensitive Data [cwe.mitre.org]
- Full Database Encryption for SQLite [zetetic.net]
Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.↑ Back to Top