5

I have found a publicly accessible web page which discloses person-related data when queried with matching input data. This is against the company's own data protection promise. I want to report responsibly with a proper description and categorization of the problem.

The data required as input is:

  • The customer number like xxx-xxx-xxx-x (10 number digits where 1 is probably a checksum)
  • The ZIP code in four digits as "security element" (which is about 4000 really existing numbers)

The data provided on match between Customer ID and ZIP:

  • Full Name
  • Birthday
  • Residential address
  • Landline or Mobile Phone number (if provided by customer)

Their intent on providing this data is to support a purchase to the intended person, when you want to buy as a gift.

How to categorize this problem?

Is there a proper CWE number for it? Probably CWE 213? Or is there another standardized categorization system?

Note: Both me and the company in question is located in Switzerland (which is not part of the European Union). I am not sure how legally binding the EU GDPR is here.

Marcel
  • 3,494
  • 1
  • 18
  • 35

1 Answers1

2

If you are in an European Union country, you can just say it's a GDPR violation (even if they officially come into effect in 25th May).

GDPR rules are widely talked about now and are exactly about preventing this sort of problems.

Data leaks can be generally arranged into 4 large categories:

  • Hacking (unauthorized access )
  • Losses/steals (loss of data, documentation - example: stolen notebook with company data)
  • Inadvertent (accidental data leak)
  • Wrongdoing (employee error)

Your case would fit better into accidental data leak category, although it's a combination of that and wrongdoing (the configuration of the system permits for the data extraction to occur under certain circumstances).

Note: It's not CWE-213 unless you can prove it was an intentional setup. CWE-201 may be more appropriate.

Overmind
  • 8,779
  • 3
  • 19
  • 28