TID-226: Device leaks security information in logs

Threat Description

Some devise will login information that can be exploited by attackers to further their attack against the device or the system in which the device resides. This data can vary, but in general if a device logs any secrets that would break it’s safety, confidentiality, integrity, or availability, a threat actor may be able to use that information to further their goals. For example, if a private key is printed in a debug or event log after generation, threat actors may be able to take the key and use it to decrypt network communications. Another instance is a threat actor being able to take information associated with a core-dump log of a failed process and turn it into an exploit.

Threat Maturity and Evidence

Known Exploitable Weakness

• Uber app (2018)
  “In 2018, a security researcher found that the Uber app was leaking sensitive data, including secret keys and passwords, through its debugging interface. The researcher was able to use this information to access user data, such as ride histories and payment information.”

• Tesla electric vehicles (2020)
  “In 2020, a security researcher discovered that Tesla electric vehicles were leaking sensitive data, including passwords and private keys, through their debugging interface. The researcher was able to use this information to access user data, such as location histories and driving behavior.”

CWE

• CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
  “The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.”

• CWE-532 Insertion of Sensitive Information into Log File
  “The product writes sensitive information to a log file.”

CVE

• CVE-2023-51390
  “journalpump is a daemon that takes log messages from journald and pumps them to a given output. A logging vulnerability was found in journalpump which logs out the configuration of a service integration in plaintext to the supplied logging pipeline, including credential information contained in the configuration if any. The problem has been patched in journalpump 2.5.0.”

• CVE-2025-0895
  “IBM Cognos Analytics Mobile 1.1 for Android could allow a user with physical access to the device, to obtain sensitive information from debugging code log messages.”

• CVE-2025-26495
  “Cleartext Storage of Sensitive Information vulnerability in Salesforce Tableau Server can record the Personal Access Token (PAT) into logging repositories.This issue affects Tableau Server: before 2022.1.3, before 2021.4.8, before 2021.3.13, before 2021.2.14, before 2021.1.16, before 2020.4.19.”