Plaintext Storage in Executable| ID: 318 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Variant |
Description
Sensitive information should not be stored in plaintext in an
executable. Attackers can reverse engineer a binary code to obtain secret
data.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Confidentiality | Read application
data | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| | | Sensitive information should not be stored in an executable. Even if
heavy fortifications are in place, sensitive data should be encrypted to
prevent the risk of losing confidentiality. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-318 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2005-1794 : Product stores RSA private key in a DLL and uses it to sign a certificate, allowing spoofing of servers and MITM attacks.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Plaintext Storage in Executable | |
References:None
