Cleartext Transmission of Sensitive Information (CWE-319)
Sensitive information is information that needs to be protected from unauthorized parties.
Types of Sensitive Information:
- Personally Identifiable Information (PII)
- Like Bank account number, Credit card number, Mobile number, Aadhar number, Biometric Data, etc.
- Business Confidential Information
- Classified information
All such Sensitive Information should not be transmitted over unencrypted channels like HTTP. Otherwise, there are chances that it gets compromised.
For this, an attacker needs to eavesdrop on each data packets sent from you, which is generally possible only if the attacker is in the same network as you are.
Types of this Vulnerability:
- Passwords transmitted in cleartext.
- The server sends passwords in cleartext to a log server.
- The server sends cleartext passwords in an email.