Cleartext Storage in the Registry

Draft Variant

Structure: Simple

Description

The product stores sensitive information in cleartext in the registry.

Extended Description

Attackers can read the information by accessing the registry key. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

Common Consequences 1

Scope: Confidentiality

Impact: Read Application Data

Observed Examples 1

CVE-2005-2227Cleartext passwords in registry key.

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Related Attack Patterns

37
Path Traversal: '/absolute/pathname/here'

Related Weaknesses

ChildOf:

Cleartext Storage of Sensitive Information (CWE-312)

Taxonomy Mapping

PLOVER
Software Fault Patterns

Notes

TerminologyDifferent people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).