Information Leakage Through Superceded Functionality
Sometimes information leaks from web applications due to the presence of old, or superceded, functionality.
Here's a software, but non-web, related example I saw last week. Seat reservations on National Express East Coast trains are printed from their reservation system and include the seat position and part of the route reserved. Reservation slips are attached to the seats like the one shown below:
But one nearby seat on the same train had some additional information displayed - possibly the passenger's family name?
The seat was actually empty for the journey so we'll never know if this was really a passenger's name. In this example it's not a problem of course, but it might indicate that there is a field in the data entry system that can be used to store additional details. And, here it is being printed on the reservation slip.
Perhaps names used to be included and the field remains, but shouldn't be completed nowadays. Luckily the booking agent didn't write something like 'awkward customer' or '2 cards bounced' here. That would have been a problem.
So back to web applications... the above scenario could apply to an administrative data entry form in a content management system or e-commerce management system. The reason and use of 'old' fields may be forgotten over time as staff change - but mean that information is published in unsuspecting ways.
Maintaining a schedule of how all data input values relate to outputs is time-consuming, but potentially important. Thorough testing can help where it's not possible to build and maintain such a schedule.
Posted on: 25 November 2008 at 11:46 hrs
Comments are filtered automatically and should appear shortly after they been checked.