Sensitive data exposure vulnerabilities can occur when an application does not adequately protect sensitive information from being disclosed to attackers. For many applications this may be limited to information such as passwords, but it can also include information such as credit card data, session tokens, or other authentication credentials.
Some of the features GitHub has implemented to protect our users’ sensitive data include: securely hashing passwords, enabling Strict Transport Security, using a third-party payment processor, and not allowing users to view personal access tokens after they are generated.
More about sensitive data exposure vulnerabilities from OWASP’s Top 10:
The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage is common, particularly weak password hashing techniques. Browser weaknesses are very common and easy to detect, but hard to exploit on a large scale. External attackers have difficulty detecting server side flaws due to limited access and they are also usually hard to exploit.
|1||10000 pts Vlad Ionescu GitHub Actions secret leak|
|2||1000 pts Teddy Katz Private issue title disclosure via marking as duplicate|
|3||5000 pts Max Dymond Unintended services exposed to internet due to ACL changes|
|4||500 pts Mark L. Smith List repositories API returns incorrectly cached response|
|5||1000 pts Mathias Karlsson XHR submitted forms bypass CSP form-action|