CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

BaseIncomplete

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-359: Exposure of Private Personal Information to an Unauthorized Actor?+

CWE-359: Exposure of Private Personal Information to an Unauthorized Actor is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

What are the security consequences of Exposure of Private Personal Information to an Unauthorized Actor?+

If exploited, CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) it can compromise Confidentiality, leading to outcomes such as Read Application Data.

How do you prevent or mitigate Exposure of Private Personal Information to an Unauthorized Actor?+

Recommended mitigations for CWE-359 include: Identify and consult all relevant regulations for personal privacy. An organization may be required to comply with certain federal and state regulations, depending on its location, the type of business it conducts, and the nature of any private data it handles. Regulations may include Safe Harbor Privacy Framework [REF-340], Gramm-Leach Bliley Act (GLBA) [REF-341], Health Insurance Portability and Accountability Act (HIPAA) [REF-342], General Data Protection Regulation (GDPR) [REF-1047], California Consumer Privacy Act (CCPA) [REF-1048], and others. Carefully evaluate how secure design may interfere with privacy, and vice versa. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which private data can be handled unsafely, a common risk stems from misplaced trust. Programmers often trust the operating environment in which a program runs, and therefore believe that it is acceptable store private information on the file system, in the registry, or in other locally-controlled resources. However, even if access to certain resources is restricted, this does not guarantee that the individuals who do have access can be trusted.

How is Exposure of Private Personal Information to an Unauthorized Actor detected?+

CWE-359 can be detected using Architecture or Design Review. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by Exposure of Private Personal Information to an Unauthorized Actor?+

CWE-359 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-359 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More