vulnerability-rating-taxonomy icon indicating copy to clipboard operation
vulnerability-rating-taxonomy copied to clipboard

Published 20 hours ago verified publisher icon bugcrowd

Weak HTTP transmission

Open mridulsg opened this issue 3 years ago • 1 comments

Submission Reference: 0eee5d2516e4b5921f3f77ce006660c4fb992fb5d0a32abbc71ce771cd7784b1

Broken Authentication and Session Management → Weak Login Function → Over HTTP

The team is looking into only plain text transfer of data in login only but where as application have forms which asks for PII data from users such as email, phone etc.(refer to the submission) which should also be considered sensitive. Not every time data is only sensitive in login, it can sensitive in other forms as well. Marking directly Not Applicable is not the correct procedure. I would request the team to look into this VRT.

mridulsg avatar Dec 29 '21 05:12 mridulsg

Totally agree @mridulsg

BountyOverflow avatar Feb 20 '22 03:02 BountyOverflow

Good point @mridulsg for me also, it is not only about logging in, sending sensitive data in other forms via HTTP should be also taking into account

Quick update, it sounds like 'Varies Insecure Data Transport Cleartext Transmission of Sensitive Data'

mbiesiad avatar Apr 01 '23 11:04 mbiesiad

@mbiesiad is right, that is the actual VRT entry for that. We've also discussed it with the team and decided to keep that.

I'm going to close this issue.

If there is anything else you can open a new issue or reach out to me personally.

TimmyBugcrowd avatar May 16 '23 13:05 TimmyBugcrowd