CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Cleartext Storage of Sensitive Information [CWE-312]

This weakness describes a case where sensitive information is stored in clear text in location, accessible by other users.

Created: June 11, 2018

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. Vulnerability Remediation Techniques and Examples
  8. References

1. Description

The weakness occurs when application stores valuable information in an unencrypted storage. If the attacker is able to gain access to the storage, the application’s data will get compromised.

This is a typical case of storing access credentials (such as tokens) in a cleartext file or other sensitive data in an unencrypted SQLite database on mobile devices. If the attacker gets physical access to the device or tricks the victim to install a malicious app, it would be possible to extract valuable information.

2. Potential impact

The attacker with ability to access unencrypted storage can read, modify or delete sensitive information.

3. Attack patterns

The following attack patterns can be used to exploit cleartext storage of sensitive information according to CAPEC (Common Attack Pattern Enumeration and Classification) classification:

4. Affected software

This vulnerability is mostly related to software that locally stores sensitive information in the environment that can be accessed by unauthorized parties. This weakness is often detected in mobile applications.

5. Severity and CVSS Scoring

In most cases the vulnerability can be exploited with physical or local access to the affected application. Therefore, the CVSS score for this vulnerability is usually as follows:
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

6. Mitigations

This vulnerability is usually introduced to the application during the architecture and design phase. In most cases it is impossible to mitigate this vulnerability without modification of the application source code.

7. Vulnerability Remediation Techniques and Examples

As this vulnerability is most common for mobile applications, we will provide recommendations how to secure data on mobile devices. Depending on which data needs to be secured the following solutions are available:

Access credentials

If the application uses access credentials to authenticate against a remote instance, it is crucial for the application security to encrypt those credentials or use multiple authentication layers. For example, you can use fingerprint scanner as unique key to decrypt data or ask the user to provide additional password.

SQLite database

It is strongly recommended to use SQLCipher or similar extension to encrypt application database on your mobile device.

8. References

  1. CWE-311: Missing Encryption of Sensitive Data [cwe.mitre.org]
  2. Full Database Encryption for SQLite [zetetic.net]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk