Cleartext Storage of Sensitive Information
Draft Base
Structure: Simple
Description
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Common Consequences 1
Scope: Confidentiality
Impact: Read Application Data
An attacker with access to the system could read sensitive information stored in cleartext (i.e., unencrypted). Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Potential Mitigations 2
Phase: ImplementationSystem ConfigurationOperation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Phase: ImplementationSystem ConfigurationOperation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Demonstrative Examples 7
ID : DX-44
The following code excerpt stores a plaintext user account ID in a browser cookie.Code Example:
Bad
Java
javaBecause the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.
ID : DX-40
This code writes a user's login information to a cookie so the user does not have to login again later.Code Example:
Bad
PHP
phpThe code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) could allow an attacker to remotely copy the cookie.
Also note this example code also exhibits Plaintext Storage in a Cookie (Cleartext Storage of Sensitive Information in a Cookie).
ID : DX-41
The following code attempts to establish a connection, read in a password, then store it to a buffer.Code Example:
Bad
C
cWhile successful, the program does not encrypt the data before writing it to a buffer, possibly exposing it to unauthorized actors.
ID : DX-43
The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.This Java example shows a properties file with a cleartext username / password pair.
Code Example:
Bad
Java
Java Web App ResourceBundle properties file*
javaThe following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext.
Code Example:
Bad
ASP.NET
asp.netUsername and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information.
ID : DX-153
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.At least one OT product stored a password in plaintext.
ID : DX-155
In 2021, a web site operated by PeopleGIS stored data of US municipalities in Amazon Web Service (AWS) Simple Storage Service (S3) buckets.Code Example:
Bad
Other
otherWhile it was not publicly disclosed how the data was protected after discovery, multiple options could have been considered.
Code Example:
Good
Other
otherConsider the following PowerShell command examples for encryption scopes of Azure storage objects. In the first example, an encryption scope is set for the storage account.
Code Example:
Bad
Shell
shellThe result (edited and formatted for readability) might be:
Code Example:
Bad
Other
otherotherHowever, the empty string under RequireInfrastructureEncryption indicates this service was not enabled at the time of creation, because the -RequireInfrastructureEncryption argument was not specified in the command.
Including the -RequireInfrastructureEncryption argument addresses the issue:
Code Example:
Good
Shell
shellThis produces the report:
Code Example:
Result
Other
otherotherIn a scenario where both software and hardware layer encryption is required ("double encryption"), Azure's infrastructure encryption setting can be enabled via the CLI or Portal. An important note is that infrastructure hardware encryption cannot be enabled or disabled after a blob is created. Furthermore, the default value for infrastructure encryption is disabled in blob creations.
Observed Examples 20
CVE-2022-30275Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.
CVE-2009-2272password and username stored in cleartext in a cookie
CVE-2009-1466password stored in cleartext in a file with insecure permissions
CVE-2009-0152chat program disables SSL in some circumstances even when the user says to use SSL.
CVE-2009-1603Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
CVE-2009-0964storage of unencrypted passwords in a database
CVE-2008-6157storage of unencrypted passwords in a database
CVE-2008-6828product stores a password in cleartext in memory
CVE-2008-1567storage of a secret key in cleartext in a temporary file
CVE-2008-0174SCADA product uses HTTP Basic Authentication, which is not encrypted
CVE-2007-5778login credentials stored unencrypted in a registry key
CVE-2001-1481Plaintext credentials in world-readable file.
CVE-2005-1828Password in cleartext in config file.
CVE-2005-2209Password in cleartext in config file.
CVE-2002-1696Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message.
CVE-2004-2397Plaintext storage of private key and passphrase in log file when user imports the key.
CVE-2002-1800Admin password in plaintext in a cookie.
CVE-2001-1537Default configuration has cleartext usernames/passwords in cookie.
CVE-2001-1536Usernames/passwords in cleartext in cookies.
CVE-2005-2160Authentication information stored in cleartext in a cookie.
References 11
Writing Secure Code
Michael Howard and David LeBlanc
Microsoft Press
04-12-2002
ID: REF-7
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
Mobile App Top 10 List
Chris Wysopal
13-12-2010
ID: REF-172
OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management
Forescout Vedere Labs
20-06-2022
ID: REF-1283
Over 80 US Municipalities' Sensitive Information, Including Resident's Personal Data, Left Vulnerable in Massive Data Breach
WizCase
20-07-2021
ID: REF-1295
1,000 GB of local government data exposed by Massachusetts software company
Jonathan Greig
22-07-2021
ID: REF-1296
AWS Foundational Security Best Practices controls
Amazon
2022
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html(2023-04-07)
ID: REF-1297
Azure encryption overview
Microsoft
18-08-2022
ID: REF-1299
Default encryption at rest
Google Cloud
11-10-2022
ID: REF-1301
CIS Microsoft Azure Foundations Benchmark version 1.5.0
Center for Internet Security
16-08-2022
https://www.cisecurity.org/benchmark/azure(2023-01-19)
ID: REF-1307
Enable infrastructure encryption for double encryption of data
Microsoft
14-07-2022
ID: REF-1310
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Cloud Computing : UndeterminedICS/OT : UndeterminedMobile : Undetermined
Modes of Introduction
Architecture and Design
Related Attack Patterns
Related Weaknesses
Taxonomy Mapping
- PLOVER
- Software Fault Patterns
- ISA/IEC 62443
- ISA/IEC 62443
Notes
TerminologyDifferent people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).
OtherWhen organizations adopt cloud services, it can be easier for attackers to access the data from anywhere on the Internet.