Information Leakage / Credentials Exposed in Logs

Description

Credentials exposed in logs is a type of Information Leakage vulnerability. This vulnerability occurs when a mobile app, for either iOS or Android, transmits sensitive data such as login credentials in an insecure format, usually in plaintext, over an insecure network. This type of vulnerability is listed in the CWE directory as CWE-244 and in the OWASP Testing Guide as A2-Logging.

Risk

The risk associated with credential exposure in logs is that attackers can gain access to sensitive data, such as authentication credentials, which can allow them to gain access to confidential information or resources. Additionally, the attacker can use the exposed credentials to assume the identity of the user and gain access to the user’s account.

Solution

The best solution to mitigate the risk of credentials exposed in logs is to ensure that the app is configured to encrypt all data before it is transmitted over the network. Additionally, the app should be configured to use secure protocols such as TLS/SSL when transmitting data over the network. Furthermore, it is also important to ensure that all login credentials are stored securely in the app and not logged in plaintext.

Example

An example of credential exposure in logs is CVE-2019-17372, which affects the Android version of the Kaspersky Password Manager app. The vulnerability exists in the app’s implementation of the “Remember Me” feature, which stores the user’s authentication credentials in plaintext in the app’s log files.