Cleartext Storage of Sensitive Information [CWE-312]

Cleartext Storage of Sensitive Information weakness describes a case where sensitive information is stored in clear text in location, accessible by other users.

Created: June 11, 2018
Latest Update: December 28, 2020

Table of Content

1. Description
2. Potential impact
3. Attack patterns
4. Affected software
5. Severity and CVSS Scoring
6. Mitigations
7. Vulnerability Remediation Techniques and Examples
8. References

Want to have an in-depth understanding of all modern aspects of
Cleartext Storage of Sensitive Information [CWE-312]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

The weakness occurs when application stores valuable information in an unencrypted storage. If the attacker is able to gain access to the storage, the application’s data will get compromised.

This is a typical case of storing access credentials (such as tokens) in a cleartext file or other sensitive data in an unencrypted SQLite database on mobile devices. If the attacker gets physical access to the device or tricks the victim to install a malicious app, it would be possible to extract valuable information.

2. Potential impact

The attacker with ability to access unencrypted storage can read, modify or delete sensitive information.

3. Attack patterns

The following attack patterns can be used to exploit cleartext storage of sensitive information according to CAPEC (Common Attack Pattern Enumeration and Classification) classification:

• CAPEC-37: Retrieve Embedded Sensitive Data
• CAPEC-65: Sniff Application Code
• CAPEC-167: White Box Reverse Engineering

4. Affected software

This vulnerability is mostly related to software that locally stores sensitive information in the environment that can be accessed by unauthorized parties. This weakness is often detected in mobile applications.

5. Severity and CVSS Scoring

In most cases the vulnerability can be exploited with physical or local access to the affected application. Therefore, the CVSS score for this vulnerability is usually as follows:
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

6. Mitigations

This vulnerability is usually introduced to the application during the architecture and design phase. In most cases it is impossible to mitigate this vulnerability without modification of the application source code.

7. Vulnerability Remediation Techniques and Examples

As this vulnerability is most common for mobile applications, we will provide recommendations how to secure data on mobile devices. Depending on which data needs to be secured the following solutions are available:

Access credentials

If the application uses access credentials to authenticate against a remote instance, it is crucial for the application security to encrypt those credentials or use multiple authentication layers. For example, you can use fingerprint scanner as unique key to decrypt data or ask the user to provide additional password.

SQLite database

It is strongly recommended to use SQLCipher or similar extension to encrypt application database on your mobile device.

8. References

1. CWE-311: Missing Encryption of Sensitive Data [cwe.mitre.org]
2. Full Database Encryption for SQLite [zetetic.net]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.