What is Information Disclosure?

Imagine that while scrolling through a website’s source code, you come across the admin username and password that were hardcoded by the developer and forgotten to be removed. Because you are a white hat, it’s not a problem you’ll inform the site owner. But what if it falls into the hands of a black hat hacker? This is a classic example of an Information Disclosure vulnerability.

Information Disclosure is a type of vulnerability that can cause small to severe problems for websites or affected platforms. It occurs when crucial or sensitive information is accidentally exposed to the public. According to the OWASP Top 10, Information Disclosure falls under the Cryptographic Failures category. This vulnerability can act as a gateway to other dangerous vulnerabilities that may even allow full control over the target system.

How do Information Disclosure occur?

There is no single reason we can point to as the main cause of information disclosure. There are multiple ways this vulnerability can occur, and we are going to discuss them. But before that, we need to look at what exactly the types of information are that should not be disclosed:

• Data about other users, such as usernames, passwords, and financial information.
• Confidential commercial or business information.
• Underlying architecture or design of the platform.

Now, we can look at the reasons behind its occurrence:

• Server Raised Issues: Servers normally give too much information by default, like Apache/Nginx headers, error pages, etc.
• Mishandling by Developers: Some developers forget to remove or disable detailed error messages from the platform, and some of them even forget to remove hardcoded information.
• Improper File Permissions: When sensitive files are available to the public, it raises the same information disclosure problem.
• Information from APIs: Almost all large websites use external APIs, and just like servers, APIs also give too much information by default, which is valuable to a hacker.
• Log Problem: Logs written to the frontend or leaked via /logs can expose auth tokens or errors.

And there are many other possible causes besides the ones mentioned above, but the most crucial ones are listed here.

Impact of Information Disclosure?

Let us go through some of the impacts that your website may face due to the information disclosure vulnerability:

• Attackers can gather valuable insights about the system’s structure, technologies, and vulnerabilities, which aids in planning attacks.
• These information can give attackers an entry point to exploit.
• If leaked information, such as configuration files, database details, or other sensitive data about a person with higher privileges on the website, is exposed, it can lead to privilege escalation.
• Exposed personal or confidential data can lead to identity theft, fraud, or intellectual property theft.
• Public information leakage, especially user data or information about vulnerabilities before patching, can severely damage an organization’s reputation and erode user trust.
• Information leakage can also lead to legal consequences for the organization.
• Information disclosure can lead to more vulnerabilities. For example, if the attacker obtains the server version your site is hosting, and upon checking online, discovers an RCE vulnerability, they can easily escalate their attack to a higher level.

Prevention of Information Disclosure

Now, we can look at how we can prevent the occurrence of information disclosure while building a product or while helping organizations solve the problem.

• Employee Training: make sure that employees in the company must be aware of the vulnerability and to do proper checking before making the platform live.
• Access Control: Implement the principle of least privilege (PoLP). Only authorized users should have access to sensitive information.
• Data Encryption: Always encrypt sensitive data at rest and in transit using strong encryption algorithms (e.g., AES-256, RSA). This ensures that even if data is intercepted or accessed, it remains unreadable.
• Regular Audits: Make sure there will be regular audits in the organization to detect any unauthorized access or leakage of sensitive information.

Preventing these vulnerabilities is crucial in maintaining confidentiality and protecting sensitive data.

Examples in real world

Some examples of information disclosure that we can see in the real world are mentioned below:

• Exposing the names, structure, and contents of hidden directories through a robots.txt file or by enabling directory listing.
• Allowing access to source code files through temporary backup copies.
• Embedding sensitive information like API keys, IP addresses, and database credentials directly in the source code, while also indicating the presence or absence of resources, usernames, etc., through subtle variations in application behavior. For example, when accessing a website’s login page with two input boxes, one for the username and one for the password, if you enter an incorrect username, the output might be: “No user with that name.” However, when brute-forcing with possible usernames, if you suddenly get a different error prompt, such as “Password is not matching,” it indicates that the username already exists, meaning there is a user with that specific username. Now, you only need to crack the password, either through brute-forcing or other methods.

Go and experiment with some of the sites you know that are eligible for public bug bounty programs. While doing that activity, you will come across more ways to find the information disclosure vulnerability. The above examples are just a starting point to help you understand that there may be a chance to find the vulnerability by doing “this.”

Resources for Practicing Information Disclosure

There are many resources available in the wild, but the best ones for beginners can be found in the PortSwigger labs on the topic of information disclosure and TryHackMe rooms.

Portswigger Labs: Click Here

There are easy labs to start gaining hands-on experience.

Conclusion

Information Disclosure is a very serious security flaw that leaks sensitive information, which then causes possible attacks such as identity theft, fraud, and system intrusion. Most of the time, it is a result of misconfigurations, coding mistakes, or inappropriate permissions. To avoid it, implement solid access controls, encrypt information, and regularly run security audits. Training on sites such as PortSwigger Labs and TryHackMe is all about improving your ability to detect and correct such flaws, hence improving cybersecurity.