CWE-359
AllowedExposure of Private Personal Information to an Unauthorized Actor
Abstraction: Base · Status: Incomplete
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
323 vulnerabilities reference this CWE, most recent first.
GHSA-74FJ-2J2H-C42Q
Vulnerability from github – Published: 2022-01-12 22:46 – Updated: 2022-01-20 15:34follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "follow-redirects"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0155"
],
"database_specific": {
"cwe_ids": [
"CWE-359"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-11T18:41:08Z",
"nvd_published_at": "2022-01-10T20:15:00Z",
"severity": "HIGH"
},
"details": "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor",
"id": "GHSA-74fj-2j2h-c42q",
"modified": "2022-01-20T15:34:48Z",
"published": "2022-01-12T22:46:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0155"
},
{
"type": "WEB",
"url": "https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
},
{
"type": "WEB",
"url": "https://github.com/follow-redirects/follow-redirects"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Exposure of sensitive information in follow-redirects"
}
GHSA-75PH-HRV9-H6F8
Vulnerability from github – Published: 2023-05-23 21:30 – Updated: 2024-04-04 04:19Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Finex Media Competition Management System allows Retrieve Embedded Sensitive Data, Collect Data as Provided by Users.This issue affects Competition Management System: before 23.07.
{
"affected": [],
"aliases": [
"CVE-2023-2703"
],
"database_specific": {
"cwe_ids": [
"CWE-359",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-23T20:15:09Z",
"severity": "HIGH"
},
"details": "Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Finex Media Competition Management System allows Retrieve Embedded Sensitive Data, Collect Data as Provided by Users.This issue affects Competition Management System: before 23.07.\n\n",
"id": "GHSA-75ph-hrv9-h6f8",
"modified": "2024-04-04T04:19:16Z",
"published": "2023-05-23T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2703"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-23-0283"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-769Q-XHV3-QGQV
Vulnerability from github – Published: 2023-11-22 12:30 – Updated: 2026-05-20 15:35Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Botanik Software Pharmacy Automation allows Retrieve Embedded Sensitive Data.This issue affects Pharmacy Automation: before 2.1.133.0.
{
"affected": [],
"aliases": [
"CVE-2023-5983"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-359"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-22T12:15:22Z",
"severity": "HIGH"
},
"details": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Botanik Software Pharmacy Automation allows Retrieve Embedded Sensitive Data.This issue affects Pharmacy Automation: before 2.1.133.0.",
"id": "GHSA-769q-xhv3-qgqv",
"modified": "2026-05-20T15:35:20Z",
"published": "2023-11-22T12:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5983"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-23-0652"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-23-0652"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7GC6-QH9X-W6H8
Vulnerability from github – Published: 2022-04-17 00:00 – Updated: 2025-10-08 19:22Withdrawn Advisory
This advisory has been withdrawn because the vulnerability originates from a dependency. For more information, see the Maintainer comments in https://huntr.com/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac.
Original Description
When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty. Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "cross-fetch"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.1.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "cross-fetch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1365"
],
"database_specific": {
"cwe_ids": [
"CWE-359",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-28T20:45:25Z",
"nvd_published_at": "2022-04-15T23:15:00Z",
"severity": "MODERATE"
},
"details": "## Withdrawn Advisory\nThis advisory has been withdrawn because the vulnerability originates from a dependency. For more information, see the `Maintainer` comments in https://huntr.com/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac.\n\n## Original Description\nWhen fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty.\nEx: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .",
"id": "GHSA-7gc6-qh9x-w6h8",
"modified": "2025-10-08T19:22:14Z",
"published": "2022-04-17T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1365"
},
{
"type": "WEB",
"url": "https://github.com/lquixada/cross-fetch/pull/135"
},
{
"type": "WEB",
"url": "https://github.com/lquixada/cross-fetch/commit/a3b3a9481091ddd06b8f83784ba9c4e034dc912a"
},
{
"type": "PACKAGE",
"url": "https://github.com/lquixada/cross-fetch"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Withdrawn Advisory: Incorrect Authorization in cross-fetch",
"withdrawn": "2025-10-08T19:22:14Z"
}
GHSA-7JMC-JR23-HP7G
Vulnerability from github – Published: 2025-01-15 15:31 – Updated: 2025-01-15 15:31The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.10 via the 'render' function in modules/modal-popup/widgets/modal-popup.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, and draft template data.
{
"affected": [],
"aliases": [
"CVE-2024-13215"
],
"database_specific": {
"cwe_ids": [
"CWE-359"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-15T13:15:09Z",
"severity": "MODERATE"
},
"details": "The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.10 via the \u0027render\u0027 function in modules/modal-popup/widgets/modal-popup.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, and draft template data.",
"id": "GHSA-7jmc-jr23-hp7g",
"modified": "2025-01-15T15:31:24Z",
"published": "2025-01-15T15:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13215"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/modal-popup/widgets/modal-popup.php#L1058"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3221982"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4feacb75-0533-4f53-8ce9-3e45ee8336e2?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7PCC-7CQ6-8V3X
Vulnerability from github – Published: 2024-04-09 21:31 – Updated: 2024-04-09 21:31The Beaver Themer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the 'wpbb' shortcode. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including arbitrary user_meta values.
{
"affected": [],
"aliases": [
"CVE-2023-6695"
],
"database_specific": {
"cwe_ids": [
"CWE-359"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T19:15:12Z",
"severity": "MODERATE"
},
"details": "The Beaver Themer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the \u0027wpbb\u0027 shortcode. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including arbitrary user_meta values.",
"id": "GHSA-7pcc-7cq6-8v3x",
"modified": "2024-04-09T21:31:56Z",
"published": "2024-04-09T21:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6695"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4165cff7-457d-4790-8678-84c4365a191a?source=cve"
},
{
"type": "WEB",
"url": "https://www.wpbeaverbuilder.com/change-logs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7PGW-Q3QP-6PGQ
Vulnerability from github – Published: 2025-07-10 13:10 – Updated: 2025-07-10 23:23Summary
Several #dpl parameters can leak usernames that have been hidden using revision deletion, suppression, or the hideuser block flag.
Details
The parameters adduser, addauthor, and addlasteditor output the page creator or last editor using the %USER% placeholder. These display the actual username, even when that name has been hidden using revision deletion, suppression (oversight), or hideuser.
The %CONTRIBUTOR% placeholder, used with addcontribution, behaves similarly and also reveals hidden usernames.
In addition, the following parameters can expose suppressed usernames when combined with %USER% or similar output placeholders:
- lastrevisionbefore
- allrevisionsbefore
- firstrevisionsince
- allrevisionssince
These parameters reference specific revisions and allow output of user-related metadata. If a username has been hidden from those revisions, it may still appear in the output.
Further, the parameters createdby, notcreatedby, modifiedby, notmodifiedby, lastmodifiedby, and notlastmodifiedby accept usernames as input. When the correct (suppressed) username is used, the query may return matching pages or edits. This can reveal the presence and association of a hidden identity, even if not displayed directly. However, this is a more indirect exposure than the output parameters mentioned above.
Proof of Concept
- Create a page while logged in as a user.
- Revision delete or suppress the username from the page history.
- Use a DPL query with one of the affected parameters.
- The output reveals the hidden username.
Example
The following query reveals the suppressed username Example user:
{{#dpl:
| title = File:Example.png
| addauthor = true
| format = ,%USER%,,
}}
Similar behavior occurs using parameters like lastrevisionbefore with %USER% in the format string.
Impact
This issue causes the exposure of usernames that were intentionally hidden by administrators. It directly undermines revision deletion, user suppression, and block-related privacy measures. In some cases, usernames can be revealed both directly through output and indirectly through query behavior.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "universal-omega/dynamic-page-list3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53625"
],
"database_specific": {
"cwe_ids": [
"CWE-359"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-10T13:10:20Z",
"nvd_published_at": "2025-07-10T19:15:26Z",
"severity": "HIGH"
},
"details": "### Summary\nSeveral `#dpl` parameters can leak usernames that have been hidden using revision deletion, suppression, or the `hideuser` block flag.\n\n### Details\nThe parameters `adduser`, `addauthor`, and `addlasteditor` output the page creator or last editor using the `%USER%` placeholder. These display the actual username, even when that name has been hidden using revision deletion, suppression (oversight), or `hideuser`.\n\nThe `%CONTRIBUTOR%` placeholder, used with `addcontribution`, behaves similarly and also reveals hidden usernames.\n\nIn addition, the following parameters can expose suppressed usernames when combined with `%USER%` or similar output placeholders:\n- `lastrevisionbefore`\n- `allrevisionsbefore`\n- `firstrevisionsince`\n- `allrevisionssince`\n\nThese parameters reference specific revisions and allow output of user-related metadata. If a username has been hidden from those revisions, it may still appear in the output.\n\nFurther, the parameters `createdby`, `notcreatedby`, `modifiedby`, `notmodifiedby`, `lastmodifiedby`, and `notlastmodifiedby` accept usernames as input. When the correct (suppressed) username is used, the query may return matching pages or edits. This can reveal the presence and association of a hidden identity, even if not displayed directly. However, this is a more indirect exposure than the output parameters mentioned above.\n\n### Proof of Concept\n\n1. Create a page while logged in as a user.\n2. Revision delete or suppress the username from the page history.\n3. Use a DPL query with one of the affected parameters.\n4. The output reveals the hidden username.\n\n#### Example\n\nThe following query reveals the suppressed username `Example user`:\n\n```wikitext\n{{#dpl:\n| title = File:Example.png\n| addauthor = true\n| format = ,%USER%,,\n}}\n```\n\nSimilar behavior occurs using parameters like `lastrevisionbefore` with `%USER%` in the `format` string.\n\n### Impact\nThis issue causes the exposure of usernames that were intentionally hidden by administrators. It directly undermines revision deletion, user suppression, and block-related privacy measures. In some cases, usernames can be revealed both directly through output and indirectly through query behavior.",
"id": "GHSA-7pgw-q3qp-6pgq",
"modified": "2025-07-10T23:23:34Z",
"published": "2025-07-10T13:10:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Universal-Omega/DynamicPageList3/security/advisories/GHSA-7pgw-q3qp-6pgq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53625"
},
{
"type": "WEB",
"url": "https://github.com/Universal-Omega/DynamicPageList3/commit/a3dae0c89fb4214390c29ceffa23bbe2099986d6"
},
{
"type": "PACKAGE",
"url": "https://github.com/Universal-Omega/DynamicPageList3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "DynamicPageList3 vulnerability exposes hidden/suppressed usernames"
}
GHSA-7XJX-FWH6-G2VQ
Vulnerability from github – Published: 2025-11-04 03:30 – Updated: 2025-11-05 21:31A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 26.1 and iPadOS 26.1, visionOS 26.1. An app may be able to fingerprint the user.
{
"affected": [],
"aliases": [
"CVE-2025-43439"
],
"database_specific": {
"cwe_ids": [
"CWE-359"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-04T02:15:49Z",
"severity": "HIGH"
},
"details": "A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 26.1 and iPadOS 26.1, visionOS 26.1. An app may be able to fingerprint the user.",
"id": "GHSA-7xjx-fwh6-g2vq",
"modified": "2025-11-05T21:31:00Z",
"published": "2025-11-04T03:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43439"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125632"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125633"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125638"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7XQ4-MWCP-Q8FX
Vulnerability from github – Published: 2025-12-26 06:30 – Updated: 2025-12-26 19:36In Gitea before 1.21.2, an anonymous user can visit a private user's project.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "code.gitea.io/gitea"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68945"
],
"database_specific": {
"cwe_ids": [
"CWE-359"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-26T19:36:13Z",
"nvd_published_at": "2025-12-26T04:15:41Z",
"severity": "MODERATE"
},
"details": "In Gitea before 1.21.2, an anonymous user can visit a private user\u0027s project.",
"id": "GHSA-7xq4-mwcp-q8fx",
"modified": "2025-12-26T19:36:13Z",
"published": "2025-12-26T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68945"
},
{
"type": "WEB",
"url": "https://github.com/go-gitea/gitea/pull/28423"
},
{
"type": "WEB",
"url": "https://blog.gitea.com/release-of-1.21.2"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-gitea/gitea"
},
{
"type": "WEB",
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.21.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gitea: anonymous user can visit private user\u0027s project"
}
GHSA-829C-JPVX-VFRV
Vulnerability from github – Published: 2025-12-19 09:30 – Updated: 2026-02-23 12:31An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.
{
"affected": [],
"aliases": [
"CVE-2025-13008"
],
"database_specific": {
"cwe_ids": [
"CWE-359"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-19T07:15:58Z",
"severity": "HIGH"
},
"details": "An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.",
"id": "GHSA-829c-jpvx-vfrv",
"modified": "2026-02-23T12:31:29Z",
"published": "2025-12-19T09:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13008"
},
{
"type": "WEB",
"url": "https://empower.m-files.com/security-advisories/CVE-2025-13008"
},
{
"type": "WEB",
"url": "https://product.m-files.com/security-advisories/cve-2025-13008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Identify and consult all relevant regulations for personal privacy. An organization may be required to comply with certain federal and state regulations, depending on its location, the type of business it conducts, and the nature of any private data it handles. Regulations may include Safe Harbor Privacy Framework [REF-340], Gramm-Leach Bliley Act (GLBA) [REF-341], Health Insurance Portability and Accountability Act (HIPAA) [REF-342], General Data Protection Regulation (GDPR) [REF-1047], California Consumer Privacy Act (CCPA) [REF-1048], and others.
Mitigation
Carefully evaluate how secure design may interfere with privacy, and vice versa. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which private data can be handled unsafely, a common risk stems from misplaced trust. Programmers often trust the operating environment in which a program runs, and therefore believe that it is acceptable store private information on the file system, in the registry, or in other locally-controlled resources. However, even if access to certain resources is restricted, this does not guarantee that the individuals who do have access can be trusted.
Mitigation MIT-57
Strategy: Attack Surface Reduction
- Some tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed.
- When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metadata. Some formats have well-defined fields that could contain private data, such as Exchangeable image file format (Exif), which can contain potentially sensitive metadata such as geolocation, date, and time [REF-1515] [REF-1516].
CAPEC-464: Evercookie
An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed. The cookie is stored on the victim's machine in over ten places. When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers.
CAPEC-467: Cross Site Identification
An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).
CAPEC-498: Probe iOS Screenshots
An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. This attack targets temporary screenshots created by the underlying OS while the application remains open in the background.
CAPEC-508: Shoulder Surfing
In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining sensitive information. One motive for this attack is to obtain sensitive information about the target for financial, personal, political, or other gains. From an insider threat perspective, an additional motive could be to obtain system/application credentials or cryptographic keys. Shoulder surfing attacks are accomplished by observing the content "over the victim's shoulder", as implied by the name of this attack.