Moved PII Leakage to Sensitive Data Exposure category

Also update Automotive category's sensitive data exposure write up. All as per the VRT update in 361 - bugcrowd/vulnerability-rating-taxonomy#361
bugcrowd · Sep 6, 2023 · 381ecf9 · 381ecf9
1 parent e6286ff
commit 381ecf9
Show file tree

Hide file tree

Showing 6 changed files with 57 additions and 20 deletions.
diff --git a/...ption/automotive_security_misconfiguration/infotainment/pii_leakage/template.md b/...ption/automotive_security_misconfiguration/infotainment/pii_leakage/template.md
diff --git a/...uration/infotainment/pii_leakage/.gitkeep → .../sensitive_data_leakage_exposure/.gitkeep b/...uration/infotainment/pii_leakage/.gitkeep → .../sensitive_data_leakage_exposure/.gitkeep
diff --git a/...urity_misconfiguration/infotainment/sensitive_data_leakage_exposure/template.md b/...urity_misconfiguration/infotainment/sensitive_data_leakage_exposure/template.md
@@ -0,0 +1,20 @@
+# Sensitive Data Leakage Exposure
+
+## Overview of the Vulnerability
+
+The In-Vehicle Infotainment (IVI) system is a the central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. The IVI system leaks sensitive data, allowing an attacker to collect this sensitive data via logs and user configurations within the underlying IVI interface.
+
+## Business Impact
+
+Sensitive data that is accessible from within the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. Additionally, the impact is further enhanced by the impact of the business having to respond, notify, and recover from a potential data breach if an attacker is successful in exfiltrating PII.
+
+## Steps to Reproduce
+
+1. Power on {{target}} by {{action}}
+1. Use {{application}} and notice that the data is stored/transmitted by {{application}} in an insecure manner
+
+## Proof of Concept (PoC)
+
+The image(s) below demonstrates how and where to find the sensitive data on the vulnerable system:
+
+{{screenshot}}
diff --git a/submissions/description/sensitive_data_exposure/pii_leakage_exposure/guidance.md b/submissions/description/sensitive_data_exposure/pii_leakage_exposure/guidance.md
@@ -0,0 +1,7 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards.
+
+For leakage or exposure of PII, do not access any more data than needed to indicate PII for reporting purposes. Accessing data PII can lead to legal consequences. Try to take a screenshot of the data that is being exposed and redact sensitive information. For example, fuzz out all but the first letters/digits of PII within your PoC.
+
+Describe the impact of the sensitive data being exposed, do your best to describe what the impact for this data may be to the company.
diff --git a/...ons/description/sensitive_data_exposure/pii_leakage_exposure/recommendations.md b/...ons/description/sensitive_data_exposure/pii_leakage_exposure/recommendations.md
@@ -0,0 +1,8 @@
+# Recommendation(s)
+
+It is recommended to encrypt sensitive data, including PII, both when at rest and when in transit. All data that is processed, stored, and transmitted by the application should be classified by business need, regulatory and industry requirements, and appropriate privacy laws.
+
+Additionally, it is best practice to not store sensitive data when it is no longer required, as data that is not retained cannot be accessed and used maliciously. All sensitive data including secrets should therefore be a part of a regularly reviewed maintenance cycle. This review cycle should include rotation of secrets.
+
+For more information refer to Open Web Application Security Project (OWASP) guide relating to this vulnerability:
+<https://owasp.org/www-project-proactive-controls/v3/en/c8-protect-data-everywhere>
diff --git a/submissions/description/sensitive_data_exposure/pii_leakage_exposure/template.md b/submissions/description/sensitive_data_exposure/pii_leakage_exposure/template.md
@@ -0,0 +1,22 @@
+# PII Leakage/Exposure
+
+## Overview of the Vulnerability
+
+Personally Identifiable Information (PII) exposure can occur when sensitive data is not encrypted, or behind an authorization barrier. When PII is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, SSL not being used for authenticated pages, or passwords being stored using unsalted hashes. Examples of such data include, but are not limited to: Social Security Numbers (SSN), medical data, banking information, and login credentials.
+
+Sensitive data relating to the business was exposed. This data could be exfiltrated and used by an attacker to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors.
+
+## Business Impact
+
+Leakage or exposure of PII can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application.
+
+## Steps to Reproduce
+
+1. Use a browser to navigate to: {{url}}/data/
+1. Observe that secrets are being disclosed
+
+## Proof of Concept (PoC)
+
+The screenshots below displays the PII disclosed:
+
+{{screenshot}}