Security based on event locations are insecure and can be spoofed.
View on MITREEvents are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source. Any application, in Windows, on a given desktop can send a message to any window on the same desktop. There is no authentication framework for these messages. Therefore, any message can be used to manipulate any process on the desktop if the process does not check the validity and safeness of those messages.
If one trusts the system-event information and executes commands based on it, one could potentially take actions based on a spoofed identity.
Never trust or rely any of the information in an Event for security.
No detection method information available for this CWE.
This example code prints out secret information when an authorized user activates a button:
This code does not attempt to prevent unauthorized users from activating the button. Even if the button is rendered non-functional to unauthorized users in the application UI, an attacker can easily send a false button press event to the application window and expose the secret information.
Attacker uses Shatter attack to bypass GUI-enforced protection for CVE-2003-0908.
View DetailsCWE-360: Trust of System Event Data is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Security based on event locations are insecure and can be spoofed. Events are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source. Any application, in Windows, on a given desktop can send a message to any window on the same desktop. There is no authentication framework for these messages. Therefore, any message can be used to manipulate any process on the desktop if the process does not check the validity and safeness of those messages.
If exploited, CWE-360 (Trust of System Event Data) it can compromise Integrity, Confidentiality, Availability and Access Control, leading to outcomes such as Gain Privileges or Assume Identity and Execute Unauthorized Code or Commands.
Recommended mitigations for CWE-360 include: Never trust or rely any of the information in an Event for security.
CWE-360 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-360, including CVE-2004-0213. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-360 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.