1

We have a client complaining that there is PII in the browser history (as in the persistent history you get to through your browser's menu - Ctrl + H in Chrome). For example, the URL for editing a user is something like: https://www.mysite.com/users/USERNAME_HERE/edit. And of course, that will show up in your browser history.

Is this really a security concern? What about other PII like order numbers (for a retail site)?

schroeder
  • 123,438
  • 55
  • 284
  • 319
jbyrd
  • 149
  • 4
  • Is there any requirement that the username must be the legal name? A name can be classified as PII, but if it's an arbitrarily selected username that would (should) be on them if they decide to put their real name in there. If I decide to use my social security number as my username, that shouldn't make the website owner suddenly have to hide my username wherever it appears. [obligatory IANAL] – Fire Quacker Apr 23 '20 at 17:32
  • 3
    @FireQuacker usernames are PII in most jurisdictions even if they are not legal names. Usernames are attributable to identify an individual. – schroeder Oct 21 '21 at 08:09
  • Your concerns (and your client's) are very much valid. To address the issue, I would start from agreeing what is PII in the client's context, and this is a legal issue, not an IT one. You will need the involvement of privacy aware layers to define PII in your case (is order # PII?) and also in the region you are doing business. PII regulations are different in Europe, in various US States and other countries. So, the question could get very complicated and the best way to start is to involve legal people and define PII. – papajony Oct 21 '21 at 10:43

5 Answers5

1

It really depends on the nature of the website. If the site already shows the username on other places (like here on this site) then it probably isn’t PII. If the username is show nowhere else, then it might be considered PII.

That being said, why is the username exposed in the url for an edit (apart from being the default for certain frameworks)? Especially since URLs are generally logged and saved in history, it is generally considered a bad practice to use usernames because it could give a hacker information about the usernames used in your system. Given this information and the fact that users tend to reuse passwords, the risks are getting bigger than they should be.

David Perfors
  • 119
  • 1
  • 1
    That's not how PII is defined or determined. You do, however, point out the security concern. – schroeder Oct 21 '21 at 07:59
  • Even though a username might not be PII, at least it could lead to PII. In the company I worked for, this was (partly) how PII was being determined. – David Perfors Oct 27 '21 at 11:45
  • "If the site already shows the username on other places (like here on this site) then it probably isn’t PII." -- if your company used this as a guide, then they are running afoul of nearly every Data Protection Regulation out there. – schroeder Oct 27 '21 at 12:03
1

Conceptually yes, anything you disclose that you don't need to is potentially a security risk. It is far easier to guess a password than a username and password. Also plenty of attacks rely on having one or a set of valid user names.

In a web application there is little to no reason to have usernames in URLs, you simply don't need them after authentication. The server knows who is logged in given the session identifier. The user does not need to be informed what their username is. You can use relative references to the logged in user like "session" or "me" or "user" or something and let the server match it to the actual user name if need be.

Pedro
  • 3,911
  • 11
  • 25
0

Here is a reference on PII that is relevant to the US. But you should do research into how PII is defined and what regulations are relevant to PII for wherever you are operating your site. You may also want to look into the same things where you are allowing users to use the site as you may also be held accountable in those locations.

It also may matter what you use as a username (e.g. Legal name, email address, etc)

It also may matter what industry you are operating within and what service you are providing, in case there are any extra regulations that you must follow.

Your customers trust you to protect the data you are holding, and you should err on the side of caution to avoid losing the trust of your customers.

The way to avoid most of these legal headaches, ambiguity, and security/privacy concerns: for this specific use case, is to use tokenization.

Do not expose data directly in urls (i.e. usernames, keys, identifiers, etc), rather map them to a token in session on the server. This way the numbers become meaningless when you expire the session.

In this case:

/users/bob/edit becomes /users/42/edit

iraleigh
  • 326
  • 2
  • 11
0

I agree with your client and with other answers here, that it is a security concern.

It's not always safe to assume that browser history is private to the user. You don't say who your client is, but if you're in the realm of PII, my mind automatically goes to a healthcare setting. I would be concerned about a HIPAA violation.

A patient may trust logging into their patient portal using a kiosk at a doctor's office, for example. However, another user (even someone on the back end in IT) even seeing the patient name and knowing they are a patient puts the org at risk.

I'm also not sure if you have the best understanding of PII given the question. For example, I'd usually not consider order number PII, of course it depends.

After working in healthcare for the past few years, I've learned that what is considered PII and PHI is often contextual. This is a great definition from the GSA:

"The term “PII,” as defined in OMB Memorandum M-07-1616 refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available - in any medium and from any source - that, when combined with other available information, could be used to identify an individual."

Order numbers would not usually be considered PII, in my experience. I worked at a wellness company that had a retail component, and order number was not considered PII in our systems, because of the way our databases were structured. However, I can think of a use case for order number being PII. Let's say you have a tracker tool that allows you to put in the order number, and see the location of the package and the full delivery address. Then you're in a situation where order number is revealing sensitive information.

Another definition that I like of PII is this one from the DOL, which says that

"information permitting the physical or online contacting of a specific individual is the same as personally identifiable information."

  • The question does not asks if an username is PII. It is of course PII. However, browser history is not public, it is local to the user (the one owning the username). No issue here. – A. Hersean Oct 20 '21 at 14:42
  • @A.Hersean the question does ask if the username is PII, because the asker says "We have a client complaining that there is PII in the browser history," and the asker seems to disagree. The asker also refers to "order number" as PII, which is not always correct. So I interpreted the question as such because he seems to lack a clear understanding of PII –  Oct 20 '21 at 15:00
  • Whether an username is PII is a secondary question, and I agree that when the question was asked (1.5 years ago), the OP had trouble understanding it. However, the main question is about the security issues that could arise with having an username or some other PII in the browser history. Your answer does not answer this question. – A. Hersean Oct 20 '21 at 15:06
  • @A.Hersean see last paragraph "even if they don't use their own name as a username, if they use a username that is active on other sites, that information could potentially be used by an attacker to initiate contact." It may be your assumption that browser history is private to the user but that is not explicitly stated in this use case. What if users are on a shared device? –  Oct 20 '21 at 15:13
  • Users on shared devices should use their own accounts, or if they cannot, they should not input sensitive information in a system they do not trust. It is not the responsibility of the server to ensure that its users are responsible or that their computers are free of malware. Once the data leave the server, it is not owned anymore by the server, it is not under its control. Indeed, if there's malware on the browser, the malware could copy any PII typed by the user, even if this PII does not stay in the browser's history. – A. Hersean Oct 20 '21 at 15:28
  • @A.Hersean in a healthcare setting, HIPAA violations are a concern as well as malware. A patient may trust logging into their patient portal using a kiosk at a doctor's office. However, another user (even someone on the back end in IT) even seeing the patient name and knowing they are a patient puts the org at risk. As an administrator, if I had a contractor who was arguing with me (the client) about tokenizing this data, I would be looking for another contractor. –  Oct 20 '21 at 16:21
  • Thanks for the edit. – schroeder Oct 21 '21 at 11:26
-1

Yes it is a privacy concern. In general, PII should not appear in the URL. The problem is that the URL is potentially logged in multiple places (the history as you say, or proxies, or even ISP or service provider proxies you are not aware of).

papajony
  • 454
  • 2
  • 8
  • Like the other answers talking about PII, you don't explain the concern. Why is PII in the URL a problem? – schroeder Oct 21 '21 at 10:40
  • I already say that it is logged in multiple places you are not aware of and you don't control (like your ISP's). – papajony Oct 21 '21 at 10:45
  • And how is that a problem? And that issue is only if TLS is broken. That's not a universal context. – schroeder Oct 21 '21 at 10:51
  • No. All proxies between client and server (your network's proxy, your ISP's proxy and so on) can see the request and log the URL in their logs irrelevant of TLS. They proxy admin in the ISP see the logs and get the PII. This would be a leak because of bad design (having the PII in the URL in the first place). – papajony Oct 21 '21 at 11:21