Understanding Results: The Information Leakage Tab

Information leakage refers to the unintentional leakage of possibly sensitive data that is contained within a software package. Black Duck Binary Analysis identifies several types of this data and provides reports on that data through the Information leakage tab.

Some types of data, such as keys and passwords, are most certainly sensitive. If this type of data is exposed, then steps should be taken to remove it from the software package. On the other hand, exposing data such as URLs and email addresses might not pose a security threat, particularly if that exposure is intentional. For example, it may happen that during the software build process private keys are included in the final build by mistake. This is a leak of sensitive information that can be used to access private systems. However, not all data that leaks is also sensitive, most of the found URLs and email addresses are part of the software and are there by intention.

With the Information leakage feature in Black Duck Binary Analysis, you can gain insight into the types of possibly sensitive data contained in a scanned software package. You can then evaluate whether or not the leaked data represents a security vulnerability.

Black Duck Binary Analysis currently detects the following types of possibly sensitive data:

  • Amazon Web Services (AWS) keys

    The exposure of AWS keys is a severe security vulnerability. An attacker can use the keys to access the related AWS account.

  • Asymmetric keys

    Asymmetric keys (also known as cryptographic keys) are of two types, public and private. Public and private keys are displayed separately on the Information Leakage Tab.

    The leakage of private keys is a severe security vulnerability. An attacker can use the private key to decrypt encrypted communications.

    Further, keep in mind that even the unintentional leakage of public keys that are used for authorization can be a security vulnerability.

  • JSON Web Tokens (JWT)

    Used to authenticate against web services and APIs. If the token is still valid and the web service target is known then it can be used to access those services.

  • OAuth tokens

    Used to authenticate against web services and APIs. If the token is still valid and the web service target is known then it can be used to access those services.

  • Passwords

    The leakage of passwords is a severe security vulnerability. An attacker can use the password to access target accounts or machines. However, passwords can be hashed and salted which adds a certain obstacle for attackers to use them.

  • Shell history

    Command-line shells usually store the commands history in a file. Some of the commands require passwords or authentication sensitive information. Shipping such command history files with a software release will reveal sensitive information.

  • Image metadata

    The image metadata header can leak the physical location where an image was taken.

  • URLs

    The leakage of URLs may or may not be a security vulnerability. You should review the URLs identified by the scan and determine whether or not they point to sensitive services or reveal sensitive information.

  • IP addresses

    The leakage of IP addresses may or may not be a security vulnerability. You should review the addresses identified by the scan and determine whether or not they point to sensitive services.

  • Email addresses

    The leakage of email addresses may or may not be a security vulnerability. You should review the addresses identified by the scan and determine whether or not they reveal sensitive information.

  • MAC addresses

    The leakage of MAC addresses may or may not be a security vulnerability.

  • Basic HTTP authentication data

    The leakage of authentication data is a severe security vulnerability. Credentials could be used to gain unauthorized access to systems or services.

  • Google cloud keys

    A Key used by applications to authenticate with the Google Cloud platform API. An attacker is able to access enabled services and APIs in Google Cloud with a leaked Google Cloud key.

  • Facebook access tokens

    An access token is used by an app to make graph API calls to Facebook services. The token could allow an attacker to access and modify data associated with the user or organization that the key belongs to.

  • Twilio access keys

    Access keys allow a user to authenticate with Twilio's API and create access tokens. If the token is not revoked, it allows management of and access to Twilio services, if the password or secret for they key is known.

For information about triaging information leaks, see Information Leak Triage.