Information leakage pertains to a weakness in a web application or a complete website wherein directories or files are not correctly hidden, thus revealing sensitive information that was supposed to be protected and private.
Information leakage attacks have significant impact on any online or offline platform. This data can be used by attackers for several purposes, ranging from extortion, blackmailing, to credit card fraud and identity theft or worse.
In its common forms, information leakage mainly occurs whenever there is a failure to scrub out HTML comments that contain confidential info. Other elements that contribute to information leakage are server misconfiguration, insufficient authorization, improper application configuration and etc.
The failure to scrub HTML or Scripts can help attackers gain access to file directory structure, server side data, SQL query structure and internal network information. The developers, while working on HTML projects, often leave scrubbing aside because it's one of those nagging little things that usually gets tossed aside when the pressure to launch gets in the way.
Such developers assume that there is no harm in leaving inline comments during project handling and therefore unknowingly leave doorways wide open for hackers. It is crucial to remove these comments and other notes before launching the website, making a certain software go public or before revealing a web page to others.
Moving on, webpages that provide different responses, based on the authorization of user or the validation of data, can also be cause for leaking information.
Some forms of sensitive data include:
- Account Info
- Passport Numbers
- Credit Card Numbers
- Session Addresses
- SSNs (Social Security Numbers)
- Driver's License Numbers
In these cases, proper security is essential to ensuring users have the proper access, rights and authorization while keeping private information safe.