CWE-203
AllowedObservable Discrepancy
Abstraction: Base · Status: Incomplete
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.
836 vulnerabilities reference this CWE, most recent first.
GHSA-7JG5-65PC-52VM
Vulnerability from github – Published: 2023-10-30 18:30 – Updated: 2023-11-06 18:30In ContentService, there is a possible way to read installed sync content providers due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2023-21306"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-30T17:15:48Z",
"severity": "MODERATE"
},
"details": "In ContentService, there is a possible way to read installed sync content providers due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-7jg5-65pc-52vm",
"modified": "2023-11-06T18:30:17Z",
"published": "2023-10-30T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21306"
},
{
"type": "WEB",
"url": "https://source.android.com/docs/security/bulletin/android-14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7M6Q-GGF5-RWG4
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 18:31Side-channel information leakage in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-13922"
],
"database_specific": {
"cwe_ids": [
"CWE-1300",
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:17:06Z",
"severity": "MODERATE"
},
"details": "Side-channel information leakage in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-7m6q-ggf5-rwg4",
"modified": "2026-07-01T18:31:32Z",
"published": "2026-07-01T00:34:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13922"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/511748106"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7MMW-X6RM-HMR8
Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 01:58RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
{
"affected": [],
"aliases": [
"CVE-2019-3740"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-18T23:15:00Z",
"severity": "MODERATE"
},
"details": "RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.",
"id": "GHSA-7mmw-x6rm-hmr8",
"modified": "2024-04-04T01:58:23Z",
"published": "2022-05-24T16:56:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3740"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/security/en-us/details/DOC-106556/DSA-2019-094-RSA-BSAFE\u0026#174%3B-Crypto-J-Multiple-Security-Vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/security/en-us/details/DOC-106556/DSA-2019-094-RSA-BSAFE\u0026#174;-Crypto-J-Multiple-Security-Vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7MVX-M8HQ-F37G
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-16 15:34While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Side-channel attacks on the text by using specially crafted fonts could have lead to this text being inferred by the webpage. This vulnerability affects Firefox < 98.
{
"affected": [],
"aliases": [
"CVE-2022-26382"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Side-channel attacks on the text by using specially crafted fonts could have lead to this text being inferred by the webpage. This vulnerability affects Firefox \u003c 98.",
"id": "GHSA-7mvx-m8hq-f37g",
"modified": "2025-04-16T15:34:07Z",
"published": "2022-12-22T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26382"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1741888"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7MXQ-H2R7-H449
Vulnerability from github – Published: 2025-08-19 15:31 – Updated: 2025-08-19 22:24Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allow any authenticated user to modify the content of emails sent through the calendar portlet, allowing an attacker to send phishing emails to any other user in the same organization.
Liferay Portal is fixed on the master branch from commit ff18e7d.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay:com.liferay.calendar.service"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.83"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-43739"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-19T22:24:01Z",
"nvd_published_at": "2025-08-19T14:15:38Z",
"severity": "MODERATE"
},
"details": "Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allow any authenticated user to modify the content of emails sent through the calendar portlet, allowing an attacker to send phishing emails to any other user in the same organization.\n\nLiferay Portal is fixed on the master branch from commit ff18e7d.",
"id": "GHSA-7mxq-h2r7-h449",
"modified": "2025-08-19T22:24:01Z",
"published": "2025-08-19T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43739"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/0a9f5df16ae0afa8216ca568b89b2cdf00054bde"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/5dc74a9f53f0aaa6cc1b6e0f503842832324239a"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/75be892f7cf31e1a38555d45627b0c2a06490d3d"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/7d70fab2259ff8b4a775021eb95bfc183823f8fc"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/7eb551616c6b8beeaf660ff7f29b09794cb80d91"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/a01a99cc4a5c7436f49790a1bfb386299172149c"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/b396c00338e754976a9f63ea1d5393f29babdabb"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/c1660f1a906c5ee3adca51e68f0abd6f9c1d253f"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/e50c1a0a53d30b4e55f47495e265c5b7ea3459e1"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/f238677d9afb46cfe4e23f05ce11bd5197a70388"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/ff18e7d363f2a3bc83e9d3446f1bc49bee821883"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/ff927f3f6784b396d3a611ac2e5e99b69ff0fd05"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.atlassian.net/browse/LPE-18210"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43739"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Liferay Portal Email Modification Vulnerability via Calendar Portlet"
}
GHSA-7P3M-5QGR-X458
Vulnerability from github – Published: 2022-12-19 21:30 – Updated: 2022-12-19 21:30In getSmsRoleHolder of RoleService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-235601770
{
"affected": [],
"aliases": [
"CVE-2022-20538"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-16T16:15:00Z",
"severity": "MODERATE"
},
"details": "In getSmsRoleHolder of RoleService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-235601770",
"id": "GHSA-7p3m-5qgr-x458",
"modified": "2022-12-19T21:30:28Z",
"published": "2022-12-19T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20538"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7V8V-3XWH-J47P
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-08-31 00:00An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed email addresses to be disclosed by enumeration and validation checks.
{
"affected": [],
"aliases": [
"CVE-2021-22892"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-27T12:15:00Z",
"severity": "HIGH"
},
"details": "An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 \u0026 v3.11.3 that allowed email addresses to be disclosed by enumeration and validation checks.",
"id": "GHSA-7v8v-3xwh-j47p",
"modified": "2022-08-31T00:00:20Z",
"published": "2022-05-24T19:03:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22892"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1089116"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7VWG-39H8-8QP8
Vulnerability from github – Published: 2021-03-11 17:42 – Updated: 2021-03-11 17:41This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.
If you come across a security issue in our products, here is how you can report it to us: https://doc.ibexa.co/en/latest/guide/reporting_issues/#toc
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.2.2.0"
},
"package": {
"ecosystem": "Packagist",
"name": "ezsystems/ezplatform-rest"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.2.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.3.1.0"
},
"package": {
"ecosystem": "Packagist",
"name": "ezsystems/ezplatform-rest"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-11T17:41:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.\n\nIf you come across a security issue in our products, here is how you can report it to us: https://doc.ibexa.co/en/latest/guide/reporting_issues/#toc",
"id": "GHSA-7vwg-39h8-8qp8",
"modified": "2021-03-11T17:41:09Z",
"published": "2021-03-11T17:42:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ezsystems/ezplatform-rest/security/advisories/GHSA-7vwg-39h8-8qp8"
},
{
"type": "WEB",
"url": "https://github.com/ezsystems/ezplatform-rest/commit/e239bba8b154a3b4cf787e29b9f15edf8945d933"
},
{
"type": "WEB",
"url": "https://packagist.org/packages/ezsystems/ezplatform-rest"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "/user/sessions endpoint allows detecting valid accounts"
}
GHSA-7W82-8H79-M4WP
Vulnerability from github – Published: 2024-06-17 18:31 – Updated: 2024-11-18 16:26A vulnerability was found in nasirkhan Laravel Starter up to 11.8.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /forgot-password of the component Password Reset Handler. The manipulation of the argument Email leads to observable response discrepancy. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268784. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-6056"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-17T18:15:18Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in nasirkhan Laravel Starter up to 11.8.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /forgot-password of the component Password Reset Handler. The manipulation of the argument Email leads to observable response discrepancy. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268784. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-7w82-8h79-m4wp",
"modified": "2024-11-18T16:26:44Z",
"published": "2024-06-17T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6056"
},
{
"type": "WEB",
"url": "https://powerful-bulb-c36.notion.site/idor-c6eb58e8fc40416ba53c7915ca0174c4?pvs=4"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.268784"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.268784"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.352978"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7WC7-36PP-G93M
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2025-11-03 21:30In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.
{
"affected": [],
"aliases": [
"CVE-2021-24119"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-14T13:15:00Z",
"severity": "MODERATE"
},
"details": "In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.",
"id": "GHSA-7wc7-36pp-g93m",
"modified": "2025-11-03T21:30:32Z",
"published": "2022-05-24T19:08:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24119"
},
{
"type": "WEB",
"url": "https://github.com/ARMmbed/mbedtls/releases"
},
{
"type": "WEB",
"url": "https://github.com/UzL-ITS/util-lookup/blob/main/cve-vulnerability-publication.md"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00034.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DRRVY7DMTX3ECFNZKDYTSFEG5AI2HBC6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYJW7HAW3TDV2YMDFYXP3HD6WRQRTLJW"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DRRVY7DMTX3ECFNZKDYTSFEG5AI2HBC6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EYJW7HAW3TDV2YMDFYXP3HD6WRQRTLJW"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering
An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.