SPWwj / pe

0 stars 0 forks source link

Data Stored in Unencrypted JSON File #2

Open SPWwj opened 1 year ago

SPWwj commented 1 year ago

Description: AutoM8 stores contact data (confidential) in an unencrypted autom8.json file, potentially exposing sensitive user information and posing a security risk.

Steps to Reproduce:

  1. Launch autom8.
  2. Add contacts with sensitive information.
  3. Locate the autom8.json file in the application's storage directory.
  4. Open the autom8.json file and observe the contact data.

Expected Result: autom8should store contact data in an encrypted format to protect sensitive user information.

Actual Result: autom8stores contact data in an unencrypted autom8.json file, potentially exposing sensitive user information and posing a security risk.

image.png

soc-pe-bot commented 1 year ago

Team's Response

Tester attempts to label this as a CWE-312 issue with potentially a CVSS 3.1 score of 8.4 HIGH (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Rejected on grounds of : NOT AN ISSUE

One of the developers has worked as a security consultant in two separate CREST Approved certified organizations (i.e. The Singapore Government body actually requires both the security consultant and their employer organization to have various CREST certifications before they are even vetted to be allowed to test publicly known government projects), that developer has worked with Data Protection Officers and is aware of industrial security standards and the implications of not implementing it.

However, CS2103 instructions were that save files should not be encrypted so that students doing the PE testing can test to ensure that loading functionality works as according to DG/UG.

TLDR: Therefore, this reduced security requirement is a necessity for the sake of testing.

In addition, it is not uncommon for actual industries to provide a less secure version for the application testers to test before fixing the bugs on the secured version that is released to the public sphere.

Items for the Tester to Verify

:question: Issue response

Team chose [response.NotInScope]

Reason for disagreement: Response purely on the sentence below, before i accept your reponse... However, CS2103 instructions were that save files should not be encrypted so that students doing the PE testing can test to ensure that loading functionality works as according to DG/UG. Could you give the reference where you got this piece of infomation?