Sensitive data exposure vulnerabilities can occur when an application does not adequately protect sensitive information from being disclosed to attackers. For many applications this may be limited to information such as passwords, but it can also include information such as credit card data, session tokens, or other authentication credentials.
Some of the features GitHub has implemented to protect our users’ sensitive data include: securely hashing passwords, enabling Strict Transport Security, using a third-party payment processor, and not allowing users to view personal access tokens after they are generated.
More about sensitive data exposure vulnerabilities from OWASP’s Top 10:
The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage is common, particularly weak password hashing techniques. Browser weaknesses are very common and easy to detect, but hard to exploit on a large scale. External attackers have difficulty detecting server side flaws due to limited access and they are also usually hard to exploit.
|1||1000 pts Mathias Karlsson XHR submitted forms bypass CSP form-action|
|2||500 pts Rohit Dua Private Atom feed access token leak from Referer header|
|3||500 pts Georges.L Existence of private repositories revealed by duplicate response header|
|4||1000 pts Kamil Hismatullin Wiki content disclosure via forks|
|5||500 pts @h8rry Email replies disclose "mute the thread" token|