Skip to content

Cleartext Machine Key

What does this mean ?

The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

What can happen ?

Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. Over the last few years, this has been the most common impactful attack. The most common flaw is simply not encrypting sensitive data.

Recommendation

  • The Code should not store the user's username and password in plaintext in a cookie on the user's machine.
  • The program should encrypt the data before writing it to a buffer.
  • Username and password information should not be included in a configuration file or a properties file in plaintext as this will allow anyone who can read the file access to the resource.

Sample Code

Vulnerable :

...
<connectionStrings>
<add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" />
</connectionStrings>
...

Vulnerable :

# Java Web App ResourceBundle properties file
...
webapp.ldap.username=secretUsername
webapp.ldap.password=secretPassword
...

Vulnerable :

function persistLogin($username, $password){
  $data = array("username" => $username, "password"=> $password);
  setcookie ("userdata", $data);
}

References