Hidden Functionality

Description

Hidden functionality refers to undocumented features, commands, or code within a product that are not part of its official specification and are not obvious to users or administrators.

Extended Description

This hidden code can take many forms, from seemingly harmless developer shortcuts like hard-coded backdoor accounts to intentionally malicious logic or non-essential 'Easter eggs.' Regardless of intent, this undocumented behavior creates a security blind spot, as it is not accounted for during standard security reviews, testing, or user training. From an attack perspective, hidden functionality expands the product's attack surface, exposing potential weaknesses that attackers can discover and exploit. Even if not easily accessible through normal use, attackers can often trigger this code by manipulating the application's control flow, leading to unauthorized access, data breaches, or system compromise.

Common Consequences 1

Scope: OtherIntegrity

Impact: Varies by ContextAlter Execution Logic

Potential Mitigations 2

Phase: Installation

Always verify the integrity of the product that is being installed.

Phase: Testing

Conduct a code coverage analysis using live testing, then closely inspect any code that is not covered.

Observed Examples 2

CVE-2022-31260Chain: a digital asset management program has an undisclosed backdoor in the legacy version of a PHP script (Hidden Functionality) that could allow an unauthenticated user to export metadata (Missing Authentication for Critical Function)

CVE-2022-3203A wireless access point manual specifies that the only method of configuration is via web interface (Insufficient Technical Documentation), but there is an undisclosed telnet server that was activated by default (Hidden Functionality).