Inadequate Privacy Controls

Privacy controls focus on safeguarding Personally Identifiable Information (PII), such as names, addresses, credit card details, e-mail and IP addresses, and sensitive information about health, religion, sexuality, and political opinions. PII can be compromised in several ways, leading to violations of confidentiality (leakage), integrity (manipulation), or availability (destruction or blocking).

Remediation

Minimise the collection and storage of PII, retaining only what is essential for functionality and compliance.
Encrypt PII both in transit and at rest using strong encryption standards such as AES-256.
Implement strict access controls to ensure that only authorised personnel can access PII.
Use anonymisation or pseudonymisation techniques to reduce the sensitivity of stored data.
Apply data retention policies to securely delete PII that is no longer needed.

Metadata

Severity: low
Slug: inadequate-privacy-controls

CWEs

359: Exposure of Private Personal Information to an Unauthorized Actor

OWASP

M6:2024: Inadequate Privacy Controls

Available Labs

Open Java labs in SecDim Play for this vulnerability.

easy

Garbage Collector.android

Java Easy Android Signature

easy

PII.android

Java Easy Android Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.