2

I am testing a product survey website. As a response to getSurveyResults() call, the following details of all survey participants shall be displayed to all website users.

  1. Nick name
  2. Location
  3. Rating
  4. Comments
  5. Age

However, in results json, I could see the following additional fields for each survey participant.

  1. Order ID (product purchase ID)
  2. Survey questions and answers such as married or not, number of pets etc
  3. Incentive received to write review
  4. Locale

Though these are not PII, does this come under data leakage issue?

Jaya
  • 411
  • 3
  • 6
  • 2
    The question is whether you are able to retrieve other participants' data or not. Data other than your own. – Jeroen Mar 20 '19 at 12:58
  • 1
    Yes. Anyone who is using the website can access all participants' data – Jaya Mar 20 '19 at 13:02
  • 1
    This is a problem for sure! Even though the information is not really considered PII, I doubt this is the intended way. Good find! – Jeroen Mar 20 '19 at 13:07
  • I would consider this a info leak, because if I'm using my credentials only my details should be shown not of other users. – 3lokh Apr 19 '19 at 16:19

1 Answers1

1

If there is unauthorised access to data due to the way the process is designed, then that, by definition is "data leakage".

There might be no impact by having the data leaked, depending on the type of data, or the designers might have classified the access type as effectively "authorised" because they deem it "public data", but that's a separate issue and a separate assessment.

If you can show that there is a negative impact to this leakage, then the severity increases. For instance, knowing the age, location, demographic survey questions, and order history would be enough to trigger many jurisdiction's data privacy laws (because it might be enough to uniquely identify someone). But that's situational and requires some context to assess.

schroeder
  • 123,438
  • 55
  • 284
  • 319