Information Gathering / Email Addresses Disclosed
Email addresses disclosed is a Information Gathering vulnerability that occurs in Web and API. It is classified as CWE-200 and is described as “Information Exposure Through Sent Data” in the Common Weakness Enumeration (CWE) directory. According to the Open Web Application Security Project (OWASP) Testing Guide, it means that sensitive information is exposed in the response of a web application, such as email addresses, as a result of incorrect configuration.
This vulnerability exposes confidential information such as email addresses to the public and can be exploited by malicious actors. If the exposed email addresses are associated with sensitive data, then the risk of data breach is heightened. The risk can be further increased if the email addresses are associated with privileged accounts, such as an administrator account.
The best way to address this vulnerability is to ensure that web applications do not expose sensitive information in the response, by using proper configuration settings. For example, when using a web application framework like Spring, the developer should ensure that the security settings are configured correctly, so that sensitive information is not exposed.
The following code example is taken from CVE-2017-9796, and shows a web application that discloses email addresses in the response:
<form action="add.php" method="post"> <input type="hidden" name="email" value="[email protected]"/> <input type="submit" value="Submit"/> </form>
In this example, the web application does not properly sanitize the email address and exposes it in the response.