logo

Reliance on Security Through Obscurity

Draft Class
Structure: Simple
Description

This weakness occurs when a system's primary defense relies on hiding how it works, rather than using a robust, well-tested security mechanism. If an attacker discovers the hidden details—like a secret algorithm or hardcoded key—the protection fails completely.

Extended Description

Relying on secrecy as your main security layer is risky because determined attackers can often reverse-engineer your code, protocols, or configuration. This approach, often called 'security through obscurity,' creates a false sense of safety and leads to vulnerabilities that are easily exploited once the secret is out. While obscurity can be a minor, additional hurdle in a broader defense-in-depth strategy, it should never be the cornerstone of your security. Effective protection must be built on proven, transparent mechanisms like strong encryption and proper authentication, which remain secure even when their inner workings are publicly known.
Common Consequences 1
Scope: ConfidentialityIntegrityAvailabilityOther

Impact: Other

The security mechanism can be bypassed easily.
Potential Mitigations 2
Phase: Architecture and Design
Always consider whether knowledge of your code or design is sufficient to break it. Reverse engineering is a highly successful discipline, and financially feasible for motivated adversaries. Black-box techniques are established for binary analysis of executables that use obfuscation, runtime analysis of proprietary protocols, inferring file formats, and others.
Phase: Architecture and Design
When available, use publicly-vetted algorithms and procedures, as these are more likely to undergo more extensive security analysis and testing. This is especially the case with encryption and authentication.
Demonstrative Examples 1

ID : DX-168

The design of TCP relies on the secrecy of Initial Sequence Numbers (ISNs), as originally covered in CVE-1999-0077 [REF-542]. If ISNs can be guessed (due to predictability, Use of Insufficiently Random Values) or sniffed (due to lack of encryption during transmission, Cleartext Storage of Sensitive Information), then an attacker can hijack or spoof connections. Many TCP implementations have had variations of this problem over the years, including CVE-2004-0641, CVE-2002-1463, CVE-2001-0751, CVE-2001-0328, CVE-2001-0288, CVE-2001-0163, CVE-2001-0162, CVE-2000-0916, and CVE-2000-0328.
Observed Examples 4
CVE-2006-6588Reliance on hidden form fields in a web application. Many web application vulnerabilities exist because the developer did not consider that "hidden" form fields can be processed using a modified client.
CVE-2006-7142Hard-coded cryptographic key stored in executable program.
CVE-2005-4002Hard-coded cryptographic key stored in executable program.
CVE-2006-4068Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks.
References 3
The Protection of Information in Computer Systems
Jerome H. Saltzer and Michael D. Schroeder
Proceedings of the IEEE 63
09-1975
http://web.mit.edu/Saltzer/www/publications/protection/
ID: REF-196
Never Assuming that Your Secrets Are Safe
Sean Barnum and Michael Gegick
14-09-2005
https://web.archive.org/web/20220126060054/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/never-assuming-that-your-secrets-are-safe(2023-04-07)
ID: REF-544
RFC: 793, TRANSMISSION CONTROL PROTOCOL
Jon Postel, Editor
Information Sciences Institute
09-1981
https://www.ietf.org/rfc/rfc793.txt(2023-04-07)
ID: REF-542
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Alternate Terms

Never Assuming your secrets are safe
Related Weaknesses
ChildOf: Violation of Secure Design Principles (CWE-657)
ChildOf: Protection Mechanism Failure (CWE-693)
CanPrecede: Use of Hard-coded Password (CWE-259)
CanPrecede: Use of Hard-coded Cryptographic Key (CWE-321)
CanPrecede: External Control of Assumed-Immutable Web Parameter (CWE-472)
Notes
RelationshipNote that there is a close relationship between this weakness and Use of Client-Side Authentication (Use of Client-Side Authentication). If developers do not believe that a user can reverse engineer a client, then they are more likely to choose client-side authentication in the belief that it is safe.