When apps accidentally expose private information like credit cards, SSNs, or passwords, it's called "Sensitive Data Exposure" - one of the most dangerous security problems.
According to OWASP, sensitive data exposure is the #3 most critical web application security risk.
When data is sent over HTTP instead of HTTPS, anyone on the same network can see it. It's like sending a postcard instead of a sealed letter!
APIs that give away sensitive data without properly checking who's asking for it. This is like a bank teller giving account details to anyone who asks!
Storing passwords and credit cards as plain text in databases. Like writing your ATM PIN directly on your debit card!
Including sensitive info in HTML comments, JavaScript, or browser storage. It's like hiding your house key under the doormat - the first place attackers look!
Allowing users to access other users' data by changing parameters in URLs or requests. Like being able to open someone else's mailbox just by changing the box number!
In 2017, Equifax suffered one of the largest data breaches in history, exposing sensitive personal information of 147 million people - nearly half the US population.
All because they failed to properly patch and secure their systems!
Put on your hacker hat and try to find all the sensitive data leaks in this app:
1 Create an account or use our demo account
2 Examine the profile page (note how data appears masked)
3 Check the HTML source code (right-click → View Page Source)
4 Open browser dev tools (F12) → Check Network, Console, Storage tabs
5 Try accessing these API endpoints after logging in:
/api/user-data/ (requires login)/api/all-users/ (completely unsecured!)
This application has at least 5 different ways sensitive data is leaked. Can you find them all? For each one, try to understand:
Hint: One API endpoint is completely public and exposes ALL users' data without any authentication - you don't even need to log in to access it!