CWE-940: CWE-940: Improper Verification of Source of a Communication Channel
Description
View on MITREExtended Description
Extended Description
Technical Details
- Structure
- Simple
- Vulnerability Mapping
- ALLOWED
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
Phase
Description
Use a mechanism that can validate the identity of the source, such as a certificate, and validate the integrity of data to ensure that it cannot be modified in transit using an Adversary-in-the-Middle (AITM) attack. When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
No examples or observed CVEs available for this CWE.
CWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-940: CWE-940: Improper Verification of Source of a Communication Channel?+
CWE-940: CWE-940: Improper Verification of Source of a Communication Channel is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description Extended Description
What are the security consequences of CWE-940: Improper Verification of Source of a Communication Channel?+
If exploited, CWE-940 (CWE-940: Improper Verification of Source of a Communication Channel) it can compromise Gain Privileges or Assume Identity, Varies by Context and Bypass Protection Mechanism, leading to outcomes such as Scope: Access Control and Other An attacker can access any functionality that is inadvertently accessible to the source..
How do you prevent or mitigate CWE-940: Improper Verification of Source of a Communication Channel?+
Recommended mitigations for CWE-940 include: Use a mechanism that can validate the identity of the source, such as a certificate, and validate the integrity of data to ensure that it cannot be modified in transit using an Adversary-in-the-Middle (AITM) attack. When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate.
Which programming languages are affected by CWE-940: Improper Verification of Source of a Communication Channel?+
CWE-940 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-940 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.