CWE-359 Detail

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor
Incomplete
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Meldingen voor een CWE
Blijf op de hoogte van wijzigingen voor een specifieke CWE.
Meldingen beheren

Naam: Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Algemene informatie

Introductiemodi

Architecture and Design : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Implementation
Operation

Toepasselijke platforms

Taal

Class: Not Language-Specific (Undetermined)

Technologieën

Class: Mobile (Undetermined)

Veelvoorkomende gevolgen

Bereik Impact Waarschijnlijkheid
ConfidentialityRead Application Data

Waargenomen voorbeelden

Referenties Beschrijving

CVE-2023-29850

Library management product does not strip Exif data from images

CVE-2020-26220

Customer relationship management (CRM) product does not strip Exif data from images

CVE-2005-0406

Some image editors modify a JPEG image, but the original EXIF thumbnail image is left intact within the JPEG. (Also an interaction error).

Mogelijke risicobeperkingen

Phases : Requirements
Phases : Architecture and Design
Phases : Implementation // Operation

Detectiemethoden

Architecture or Design Review

Effectiviteit : High

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiviteit : High

Automated Static Analysis

Tools are available to analyze documents (such as PDF, Word, etc.) to look for private information such as names, addresses, etc.

Notities kwetsbaarheidsmapping

Rechtvaardiging : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Opmerking : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Gerelateerde aanvalspatronen

CAPEC-ID Naam aanvalspatroon
CAPEC-464 Evercookie
An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed. The cookie is stored on the victim's machine in over ten places. When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers.
CAPEC-467 Cross Site Identification
An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).
CAPEC-498 Probe iOS Screenshots
An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. This attack targets temporary screenshots created by the underlying OS while the application remains open in the background.
CAPEC-508 Shoulder Surfing
In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining sensitive information. One motive for this attack is to obtain sensitive information about the target for financial, personal, political, or other gains. From an insider threat perspective, an additional motive could be to obtain system/application credentials or cryptographic keys. Shoulder surfing attacks are accomplished by observing the content "over the victim's shoulder", as implied by the name of this attack.

Notities

This entry overlaps many other entries that are not organized around the kind of sensitive information that is exposed, such as CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer. However, because privacy is treated with such importance due to regulations and other factors, and it may be useful for weakness-finding tools to highlight capabilities that detect personal private information instead of system information, it is not clear whether - or how - this entry should be deprecated.

Referenties

REF-6

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, Gary McGraw.
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

REF-338

AOL man pleads guilty to selling 92m email addies
J. Oates.
https://www.theregister.com/2005/02/07/aol_email_theft/

REF-339

Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122)
NIST.
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf

REF-340

Safe Harbor Privacy Framework
U.S. Department of Commerce.
https://web.archive.org/web/20010223203241/http://www.export.gov/safeharbor/

REF-341

Financial Privacy: The Gramm-Leach Bliley Act (GLBA)
Federal Trade Commission.
https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act

REF-342

Health Insurance Portability and Accountability Act (HIPAA)
U.S. Department of Human Services.
https://www.hhs.gov/hipaa/index.html

REF-343

California SB-1386
Government of the State of California.
http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

REF-267

FIPS PUB 140-2: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
Information Technology Laboratory, National Institute of Standards and Technology.
https://csrc.nist.gov/files/pubs/fips/140-2/upd2/final/docs/fips1402.pdf

REF-172

Mobile App Top 10 List
Chris Wysopal.
https://www.veracode.com/blog/2010/12/mobile-app-top-10-list

REF-1047

General Data Protection Regulation
Wikipedia.
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

REF-1048

California Consumer Privacy Act (CCPA)
State of California Department of Justice, Office of the Attorney General.
https://oag.ca.gov/privacy/ccpa

REF-1515

What to Know About EXIF Data, a More Subtle Cybersecurity Risk
Chester Avey.
https://www.isaca.org/resources/news-and-trends/industry-news/2025/what-to-know-about-exif-data-a-more-subtle-cybersecurity-risk

REF-1516

McAfee's Rookie Mistake Gives Away His Location
Ben Weitzenkorn.
https://www.scientificamerican.com/article/mcafees-rookie-mistake/

Indiening

Naam Organisatie Datum Releasedatum Version
7 Pernicious Kingdoms 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Wijzigingen

Naam Organisatie Datum Opmerking
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2009-03-10 +00:00 updated Other_Notes
CWE Content Team MITRE 2009-07-27 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2009-12-28 +00:00 updated Other_Notes, References
CWE Content Team MITRE 2010-02-16 +00:00 updated Other_Notes, References
CWE Content Team MITRE 2011-03-29 +00:00 updated Other_Notes
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-09-13 +00:00 updated Other_Notes, References
CWE Content Team MITRE 2012-05-11 +00:00 updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2013-02-21 +00:00 updated Applicable_Platforms, References
CWE Content Team MITRE 2014-02-18 +00:00 updated Alternate_Terms, Demonstrative_Examples, Description, Name, Other_Notes, References
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Modes_of_Introduction, References, Relationships
CWE Content Team MITRE 2018-03-27 +00:00 updated Relationships
CWE Content Team MITRE 2019-01-03 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2020-02-24 +00:00 updated Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Potential_Mitigations, References, Relationships, Type
CWE Content Team MITRE 2020-08-20 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated References
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-11-19 +00:00 updated Description, Diagram, Other_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated References
CWE Content Team MITRE 2025-12-11 +00:00 updated Alternate_Terms, Detection_Factors, Maintenance_Notes, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships, Weakness_Ordinalities
De informatie die op CVE Find wordt gepresenteerd, is afkomstig van verschillende zorgvuldig geselecteerde referentiebronnen. CVE-gegevens worden geleverd door MITRE Corporation en de National Vulnerability Database (NVD). De Known Exploited Vulnerabilities (KEV)-catalogus is afkomstig van de Cybersecurity and Infrastructure Security Agency (CISA), terwijl EPSS-scores afkomstig zijn van FIRST.org. Daarnaast worden gegevens over softwarezwakheden (CWE) en veelvoorkomende aanvalspatronen (CAPEC) bijgehouden door MITRE Corporation, en informatie over hardware- en softwareconfiguraties (CPE) wordt geleverd door de NVD.