Information Leakage / Use of Wifi API That Contains or Leaks Sensitive Pii

Description

Use of Wifi API that contains or leaks sensitive PII is a vulnerability categorized in the Common Weakness Enumeration (CWE) directory as CWE-918: Server-Side Request Forgery (SSRF). This vulnerability exists within Android and Mobile App, where the application and its API are susceptible to leaking sensitive personally identifiable information (PII). As defined by OWASP Testing Guide, an SSRF attack is when an attacker can send a crafted request from a vulnerable web application using the application’s own credentials, thus allowing the attacker to access certain resources and information that are normally inaccessible.

Risk

This vulnerability can result in significant risks to the end user, as the leaked sensitive information can be used by attackers to gain access to the user’s personal data or other sensitive information. It can further be used to manipulate the user’s device and to access other devices on the same network. A risk assessment of this vulnerability should be conducted and appropriate safeguards should be put in place.

Solution

The solution to this vulnerability is to ensure that the Wifi API does not contain or leak sensitive PII. This can be done by ensuring that the application does not pass any sensitive information as part of a URL, and by using encryption and authentication mechanisms when transferring data. Additionally, the application should be regularly tested for vulnerabilities to ensure that any issues are quickly identified and addressed.

Example

An example of a system that was affected by this vulnerability can be found in CVE-2020-8009. In this case, a vulnerability in a Wifi API in a mobile application allowed attackers to access sensitive PII, such as usernames and passwords, as well as other sensitive information. The vulnerability was caused by the application not properly validating the data received from the API.