Unimplemented or Unsupported Feature in UI
This vulnerability occurs when a user interface displays a security feature as active and functional, but the underlying code that powers it is either missing or disabled. Users receive visual confirmation that a protection is in place, creating a false sense of security.
This flaw is a classic case of UI deception, where the front-end presentation and the back-end logic are dangerously misaligned. It often happens during rushed development cycles, feature toggling, or when a security control is deprecated but its visual elements are not removed. Developers might see buttons, checkboxes, or status messages indicating features like 'encryption enabled,' 'admin audit logging active,' or '2FA required,' but these controls do nothing when interacted with, leaving the application exposed. The primary risk is that users and administrators will rely on these phantom protections, making riskier decisions under the assumption they are safe. To prevent this, development and QA teams must implement integration tests that verify the backend security logic is triggered for every front-end control. Code reviews should specifically check for 'dead' UI components and ensure any feature flag or configuration setting that disables a security function also consistently removes or grays out its interface elements.
Impact: Varies by Context
- PLOVER