In the midst of the global pandemic when its use was at an all-time high of 300 million daily users, Zoom revealed that it had accidentally leaked sensitive data that included email addresses and profile pictures to other participants in the meeting. The incident led to repeated critiques of the program’s security in the news and among users, violations of privacy laws, and angry users that realized their calls weren’t encrypted end-to-end, as Zoom’s website promised.
How did one of the most established video conferencing applications end up leaking sensitive customer information publicly to its users? Rather than a malicious data breach carefully constructed by an attacker, it was fairly simple. It leaked the information through the Zoom application’s debug logs or records of information that contain information for software engineers to understand how the program is functioning and what may be causing the problem. These debug logs often include information such as usernames, passwords, and even snippets of source code in their messages until action is taken to attempt to protect users.
Whether we like it or not, sensitive data is all over the internet. It’s not uncommon for companies to unintentionally release information to their users. It’s also not uncommon for leaked information to have significant consequences. What can organizations do to ensure users feel that their information is safe on services, applications and software?
Although information can never be 100% safe from leakage, the best path forward for most organizations is to take the basic steps necessary to minimize or prevent information leakage as much as possible.
What is Information Leakage?
Information leakage is the sharing of sensitive information with unauthorized parties. The leakage can be either accidental, such as an employee sharing confidential information with an external party via email, or malicious, such as the exfiltration of data through phishing scams. Regardless of the intent, however, the information shared is valuable to hackers and can be used to execute attacks on your organization’s infrastructure, services or applications.
While information leaks originate from within an organization, data breaches are a result of actions that take place from unauthorized users from outside of the organization. Encryption, implementing security controls and classifying sensitive data are all strategies organizations use to prevent data loss. In addition, many organizations have various data leak prevention strategies and technology in place to defend against data breaches.
How Organizations Expose Customer Data in an Error Message
When a web application fails, error reports often provide detailed information to users. While these error messages may effectively communicate the source of the error, they can also potentially reveal sensitive information about users, such as their user credentials, to a malicious actor.
Examples of error messages that reveal unintended information include:
- “Access Denied.” The user is not supposed to know about the presence of a file, but now knows it exists.
- Authentication error messages. If the authentication error message responds differently depending on whether or not a user ID is available, attackers can use this information to bypass authentication or launch brute force attacks.
- Error messages that reveal software versions. Attackers can look up the vulnerabilities in a specific software version and easily launch attacks.
- Error messages that expose where configuration files are stored. Attackers can use these files to detect user credentials and gain access to additional systems or infrastructure.
- Error messages with “traceback” information. Stack trace information can include physical file paths, software version information, database information, and even parts of an organization’s source code.
Although these log files are not damaging in a testing environment, they should be disabled in a production environment. A generic error should be used instead of error messages that might contain sensitive information for hackers. At the same time, however, the message should have enough information to communicate the error effectively to the developer and team responsible for fixing the bug. According to OWASP, an effective error message is one that delivers “a meaningful error message to the user, diagnostic information to the site maintainers, and no useful information to an attacker.”‘
In addition to posing a security threat, web application errors should be fixed as soon as possible as they can disrupt services to users.
Defending Against Information Leakage in Error Messages
Other strategies to protect your organization include testing all error messages to evaluate site response using unit testing, integration testing or penetration testing tools. You can also conduct an ongoing review of your error code to proactively detect and patch vulnerabilities and improve code quality.
Finally, your organization should consider implementing an error-handling policy. A proper error-handling policy should include how the organization handles different types of errors, what information is revealed to the user and what information is put in the log. The error-handling policy should also be documented to standardize the process and help streamline the policy between team members. It also helps with helping new employees understand the process as quickly as possible. A number of error frameworks and libraries also exist to facilitate both error handling and exceptions in web application code.
- Express.js for Node.js. Handles synchronous and asynchronous errors.
- Django for Python. Handles 400 and 500 errors.
- Laravel for PHP. Handles HTTP and non-HTTP exceptions.
Additional Types of Data Leakage
Although exposure of data in error messages is one of the most common types of data leakage, there are many other opportunities for information to be exposed. All of this data can be used by attackers to launch sophisticated social engineering and phishing attacks that often expose additional information about the organization.
- Banners. Hackers send requests to the system to gain information about it. Using this method, they can successfully obtain information on the different host networks and services running on your open ports- and their versions.
- Web page source. By viewing the source code of a page, hackers can find hidden information, such as IDs, emails and phone numbers of a user.
- Caching. Caching, or storing files in a temporary location, can help users remember their web history, but at the same time, it can also reveal sensitive data such as URL histories, HTTP headers, HTML form inputs and transaction history.
- Cookies. Attackers can launch phishing or XSS attacks to gain access to cookies, or small files stored on a website, to hijack a user’s website session.
- Event timing. Attackers can use these error messages to glean information about internal operations based on how long they take to complete. Data from event timing errors are often used in blind injection attacks.
- Debug messages. Attackers can gain access to data within debugging symbols in source code. Data can include usernames, passwords or IP addresses.
7 Common Examples of Sensitive Information Leaked
Information leaks pose a significant threat to organizations, as critical information can be used to execute attacks on an organization’s infrastructure or applications.
That information includes:
- Financial information. This can include credit card information, bank account information, tax returns and receipts which can be used for financial fraud, identity theft and other types of fraud.
- Account identifiers. The reference number of a bank account can be used to execute brute-force attacks to gain access to various financial institutions, withdraw funds and make unauthorized transactions.
- Intellectual property or trade secrets. Hackers can steal IP or other secret information to gain a competitive advantage and even knock out a competitor.
- User credentials. Usernames and passwords can help attackers gain access to bank accounts, IT infrastructure, payment systems and other systems that offer even more valuable and sensitive information.
- Personally Identifiable Information (PII). Information such as a user’s name, address, birthday, and phone number facilitates identity theft and credit fraud. When leaked together with social security numbers, attackers can use the information to directly access government benefits, tax forms and private medical information.
- Email addresses. These can be used to execute phishing scams, social engineering attacks and access control attacks such as bypassing authentication.
- Database structure. If an attacker understands the database structure, he can use it to potentially launch SQL injection attacks.
How Can You Protect Your Organization’s Sensitive Data?
Information leakage is just one of many threats your organization must defend against. Protecting your organization’s data and sensitive information can help you improve your cyber posture, avoid regulatory fines and minimize the impact of an impending data breach or cybersecurity attack. Beyond an error-handling policy, organizations can put several policies in place to defend their information against leakage.
- Have a patch management system. System and vulnerability checks are critical to defend against attackers. Regular updates and patches can go a long way in protecting your organization as a first line of defense.
- Implement encryption. Encrypted data requires decryption to successfully use it. Portable encryption, for example, automatically encrypts data that leaves your organization, making it harder for attackers to read and exploit.
- Educate employees. Train employees and inform them of the latest best practices in data security and any company-wide policies for keeping information secure within your company.
- Monitor your third parties. Conduct vendor risk assessments and attack surface monitoring regularly to assess whether third parties meet regulatory compliance and evaluate their likelihood of experiencing a data breach.
Defend Against Information Leakage with Panorays
Experts estimate that by 2025, over 463 exabytes of data will have been created. That’s the equivalent of nearly 213 million DVDs a day! With so much data in circulation, it’s essential that your organization has the right tools for defending against information leakage. Panoray’s attack surface monitoring ensures you get alerts about vulnerabilities in your attack surface and shows you how they impact your entire digital supply chain. At the same time, automatic security questionnaires deliver you the business context you need for accurate cybersecurity posture, and give you insights into whether or not your third parties are adhering to regulatory compliance.
Learn more about how you can defend against information leakage and gain insights into your entire digital supply chain with Panoray’s extended attack surface monitoring.
Information leakage occurs when sensitive data is exposed from an organization, either from malicious insiders such as disgruntled employees or from an unintentional release, such as an employee who accidentally shares customer data with external parties through an email. Information leaks differ from data leaks, however, in the direction of the leak information. Whereas information leaks reveal information from inside the company through internal parties, data leaks occur due to intentional attacks from outside parties. Organizations implement strategies such as encryption, security controls and classifying data to assist in data loss prevention.
Information leakage is caused by the failure of an organization to protect its sensitive data. One of the most common causes of information leakage is through an error message. Error messages should be written in a way that accurately describes the source of the error for the development team but also protects the security of the company. Many error messages, however, fail to do this. They unintentionally leak information such as the software version, source code, database information, customer data, personal information, URL history and transaction history. In addition to error messages, sensitive information can also leak through banners, web page sources, caching, cookies, supporting files, event timing, and debug messages.
An example of information leakage is when the Tinder dating app exposed information of user email addresses through a flaw in an error message. Attackers used this information to successfully launch a brute force attack to gain access to user accounts. Later other dating apps such as OKCupid, Grindr, Ashley Madison and Tinder were found to also expose sensitive user information to the public, including GPS location, IP address, age and information on hardware use. In the case of the Ashley Madison app, the information leakage led to attempts at blackmail, extortion and even suicides of users. These types of information leakage also violate various privacy laws and terms within the CCPA, PCI DSS, HIPAA and GDPR.
If your data is leaked, your organization may face regulatory fines, reputational damage, and a loss of customer trust. Your organization may also face legal and regulatory ramifications, depending on the nature of the information. Since attackers often use information leaks as a first step towards gaining unauthorized access of your IT infrastructure, services and applications and launching more severe and sophisticated attacks, your organization will need to rely more heavily on its threat and risk intelligence tools to alert your security team of any new threats. These attacks may include social engineering, ransomware, identity theft, and even account takeover. If government or military information is leaked, the information leakage may pose a threat to national security.