HKCert
Security Blog

Beware of WebApp Programming Vulnerability leads to personal information leakage

Release Date: 30 / 10 / 2018
Last Update: 31 / 10 / 2018
It was reported that website of Hong Kong Airline has a vulnerability, the passenger's personal information can be seen by modifying the end of the URL. It probably falls into risks of Broken Authentication (A2) and Broken Access Control (A5) defined by OWASP Top 10 2017. 
 
HKCERT urges webmasters and web application developers to ensure web application security preventive measures were in placed before web application launch, including:
  • Use authentication to secure web content, especially containing personal information, e.g. Implement Login, Multifactor Authentication
  • Adopt Security and Privacy by design in the software development life cycle (SDLC) 
  • Perform static code scanning during development and perform penetration testing and vulnerability scanning regularly
  • Continuous monitor on application traffic and log analysis

To secure your web application, please refer to below Security Guideline: