logo

Cleartext Storage of Sensitive Information

Draft Base
Structure: Simple
Description

This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems.

This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems.
Extended Description

Storing sensitive information in cleartext is a fundamental security failure because it removes the primary barrier protecting data at rest. Whether the exposure happens via a database breach, log file leakage, or insecure backups, attackers can immediately read and misuse the information without needing to crack encryption. This flaw directly violates the core security principle of defense in depth and is often the root cause of massive data breaches. To prevent this, developers must ensure that all sensitive data is encrypted before being written to any storage medium, using strong, standard cryptographic libraries. Additionally, consider minimizing data collection, implementing robust key management, and regularly auditing storage locations—like logs, debug files, and analytics caches—to ensure no sensitive data is accidentally persisted in plain text.
Common Consequences 1
Scope: Confidentiality

Impact: Read Application Data

An attacker with access to the system could read sensitive information stored in cleartext (i.e., unencrypted). Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 2
Phase: ImplementationSystem ConfigurationOperation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Phase: ImplementationSystem ConfigurationOperation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Demonstrative Examples 7

ID : DX-44

The following code excerpt stores a plaintext user account ID in a browser cookie.

Code Example:

Bad
Java
java
Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.

ID : DX-40

This code writes a user's login information to a cookie so the user does not have to login again later.

Code Example:

Bad
PHP
php
The code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) could allow an attacker to remotely copy the cookie.
Also note this example code also exhibits Plaintext Storage in a Cookie (Cleartext Storage of Sensitive Information in a Cookie).

ID : DX-41

The following code attempts to establish a connection, read in a password, then store it to a buffer.

Code Example:

Bad
C
c
While successful, the program does not encrypt the data before writing it to a buffer, possibly exposing it to unauthorized actors.

ID : DX-43

The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.
This Java example shows a properties file with a cleartext username / password pair.

Code Example:

Bad
Java


Java Web App ResourceBundle properties file*


java
The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext.
Code Example:
Bad
ASP.NET
asp.net
Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information.
ID : DX-153
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.
At least one OT product stored a password in plaintext.
ID : DX-155
In 2021, a web site operated by PeopleGIS stored data of US municipalities in Amazon Web Service (AWS) Simple Storage Service (S3) buckets.
Code Example:
Bad
Other
other
While it was not publicly disclosed how the data was protected after discovery, multiple options could have been considered.
Code Example:
Good
Other
other
Consider the following PowerShell command examples for encryption scopes of Azure storage objects. In the first example, an encryption scope is set for the storage account.
Code Example:
Bad
Shell
shell
The result (edited and formatted for readability) might be:
Code Example:
Bad
Other
other




other
However, the empty string under RequireInfrastructureEncryption indicates this service was not enabled at the time of creation, because the -RequireInfrastructureEncryption argument was not specified in the command.
Including the -RequireInfrastructureEncryption argument addresses the issue:
Code Example:
Good
Shell
shell
This produces the report:
Code Example:
Result
Other
other




other
In a scenario where both software and hardware layer encryption is required ("double encryption"), Azure's infrastructure encryption setting can be enabled via the CLI or Portal. An important note is that infrastructure hardware encryption cannot be enabled or disabled after a blob is created. Furthermore, the default value for infrastructure encryption is disabled in blob creations.
  
Observed Examples 20
CVE-2022-30275Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.
CVE-2009-2272password and username stored in cleartext in a cookie
CVE-2009-1466password stored in cleartext in a file with insecure permissions
CVE-2009-0152chat program disables SSL in some circumstances even when the user says to use SSL.
CVE-2009-1603Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
CVE-2009-0964storage of unencrypted passwords in a database
CVE-2008-6157storage of unencrypted passwords in a database
CVE-2008-6828product stores a password in cleartext in memory
CVE-2008-1567storage of a secret key in cleartext in a temporary file
CVE-2008-0174SCADA product uses HTTP Basic Authentication, which is not encrypted
CVE-2007-5778login credentials stored unencrypted in a registry key
CVE-2001-1481Plaintext credentials in world-readable file.
CVE-2005-1828Password in cleartext in config file.
CVE-2005-2209Password in cleartext in config file.
CVE-2002-1696Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message.
CVE-2004-2397Plaintext storage of private key and passphrase in log file when user imports the key.
CVE-2002-1800Admin password in plaintext in a cookie.
CVE-2001-1537Default configuration has cleartext usernames/passwords in cookie.
CVE-2001-1536Usernames/passwords in cleartext in cookies.
CVE-2005-2160Authentication information stored in cleartext in a cookie.
  
References 11
Writing Secure Code
Michael Howard and David LeBlanc
Microsoft Press
04-12-2002
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
ID: REF-7
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
Mobile App Top 10 List
Chris Wysopal
13-12-2010
https://www.veracode.com/blog/2010/12/mobile-app-top-10-list(2023-04-07)
ID: REF-172
OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management
Forescout Vedere Labs
20-06-2022
https://www.forescout.com/resources/ot-icefall-report/
ID: REF-1283
Over 80 US Municipalities' Sensitive Information, Including Resident's Personal Data, Left Vulnerable in Massive Data Breach
WizCase
20-07-2021
https://www.wizcase.com/blog/us-municipality-breach-report/
ID: REF-1295
1,000 GB of local government data exposed by Massachusetts software company
Jonathan Greig
22-07-2021
https://www.zdnet.com/article/1000-gb-of-local-government-data-exposed-by-massachusetts-software-company/
ID: REF-1296
AWS Foundational Security Best Practices controls
Amazon
2022
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html(2023-04-07)
ID: REF-1297
Azure encryption overview
Microsoft
18-08-2022
https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-overview(2022-10-11)
ID: REF-1299
Default encryption at rest
Google Cloud
11-10-2022
https://cloud.google.com/docs/security/encryption/default-encryption(2022-10-11)
ID: REF-1301
CIS Microsoft Azure Foundations Benchmark version 1.5.0
Center for Internet Security
16-08-2022
https://www.cisecurity.org/benchmark/azure(2023-01-19)
ID: REF-1307
Enable infrastructure encryption for double encryption of data
Microsoft
14-07-2022
https://learn.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable(2023-01-24)
ID: REF-1310
 
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Not Language-Specific : Undetermined 
 
 
Technologies:
 
 
 Cloud Computing : UndeterminedICS/OT : UndeterminedMobile : Undetermined 
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Architecture and Design  
 
 
 
  
Related Attack Patterns 
        
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Missing Encryption of Sensitive Data (CWE-311) 
  ChildOf:
 Missing Encryption of Sensitive Data (CWE-311) 
  ChildOf:
 Insecure Storage of Sensitive Information (CWE-922) 
 
 
 
 
Taxonomy Mapping 
  • PLOVER
  • Software Fault Patterns
  • ISA/IEC 62443
  • ISA/IEC 62443
  
Notes 
TerminologyDifferent people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).
OtherWhen organizations adopt cloud services, it can be easier for attackers to access the data from anywhere on the Internet.