Because the information is stored in cleartext (i.e., unencrypted), attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
When organizations adopt cloud services, it can be easier for attackers to access the data from anywhere on the Internet.
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Scope | Impact | Likelihood |
---|---|---|
Confidentiality | Read Application Data Note: An attacker with access to the system could read sensitive information stored in cleartext. |
Reference | Description |
---|---|
Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext. | |
password and username stored in cleartext in a cookie | |
password stored in cleartext in a file with insecure permissions | |
chat program disables SSL in some circumstances even when the user says to use SSL. | |
Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption | |
storage of unencrypted passwords in a database | |
storage of unencrypted passwords in a database | |
product stores a password in cleartext in memory | |
storage of a secret key in cleartext in a temporary file | |
SCADA product uses HTTP Basic Authentication, which is not encrypted | |
login credentials stored unencrypted in a registry key | |
Plaintext credentials in world-readable file. | |
Password in cleartext in config file. | |
Password in cleartext in config file. | |
Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message. | |
Plaintext storage of private key and passphrase in log file when user imports the key. | |
Admin password in plaintext in a cookie. | |
Default configuration has cleartext usernames/passwords in cookie. | |
Usernames/passwords in cleartext in cookies. | |
Authentication information stored in cleartext in a cookie. |
CAPEC-ID | Attack Pattern Name |
---|---|
CAPEC-37 | Retrieve Embedded Sensitive Data An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack. |
Name | Organization | Date | Date Release | Version |
---|---|---|---|---|
PLOVER | Draft 3 |
Name | Organization | Date | Comment |
---|---|---|---|
Eric Dalci | Cigital | updated Time_of_Introduction | |
CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Description, Name | |
CWE Content Team | MITRE | updated References | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Common_Consequences | |
CWE Content Team | MITRE | updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships | |
CWE Content Team | MITRE | updated Applicable_Platforms, References | |
CWE Content Team | MITRE | updated Description, Relationships, Terminology_Notes | |
CWE Content Team | MITRE | updated Demonstrative_Examples, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Related_Attack_Patterns | |
CWE Content Team | MITRE | updated Modes_of_Introduction, References, Relationships | |
CWE Content Team | MITRE | updated Abstraction, Relationships | |
CWE Content Team | MITRE | updated References, Relationships, Type | |
CWE Content Team | MITRE | updated Relationships, Type | |
CWE Content Team | MITRE | updated Applicable_Platforms, Relationships | |
CWE Content Team | MITRE | updated Demonstrative_Examples | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References | |
CWE Content Team | MITRE | updated Applicable_Platforms, Demonstrative_Examples, Description, References, Relationships | |
CWE Content Team | MITRE | updated Detection_Factors, References, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Mapping_Notes, Relationships | |
CWE Content Team | MITRE | updated Taxonomy_Mappings |