Accidental exposure of sensitive data has been surging, Bugcrowd finds

Did you miss a session from the Future of Work Summit? Head over to our Future of Work Summit on-demand library to stream.

Instances where sensitive internal data was accidentally left exposed shot upward in 2021, ranking significantly higher in the latest vulnerability report from bug bounty platform Bugcrowd.

The 2022 edition of the Bugcrowd Priority One Report ranked vulnerability types based upon frequency of reports from the platform’s community of researchers. The report excluded the Apache Log4j vulnerability because the report’s timeframe started with the fourth quarter of 2020 and ran through the end of the third quarter of 2021. The Log4j remote code execution flaw was disclosed in December.

Speed vs. security

In Bugcrowd’s latest report, one vulnerability type — sensitive data exposure involving internal assets — made a particularly massive gain. The vulnerability jumped to the No. 3 position, from No. 9 in the previous year’s report.

This ascendance is “a reflection of the fact that COVID basically forced the entire planet to do a whole bunch of unnatural stuff, really quickly, when it came to technology,” Bugcrowd founder and chief technology officer Casey Ellis said in an interview. In other words, “haste is the natural enemy of security,” he said.

The increased prevalence of sensitive internal data exposure is also concerning because any instance of this happening “tends to be pretty catastrophic in its consequences,” Ellis said. Exposure of sensitive data will often lead to a breach or fine related to the CCPA or GDPR privacy regulations, for instance.

An infamous example of the issue is a misconfiguration, or negligence, that leaves an Amazon S3 (Simple Storage Service) bucket open and accessible.

“That can happen quite easily when you’ve got a lot of developers working on a project quickly. And they’ll just dump some stuff onto the internet so that everyone can use it for work — but then they forget to take it down,” Ellis told VentureBeat. “Or, they don’t secure it properly as they put it up on the internet, because that’s too hard. ‘Why would I go through the internal security team, when I can just use a credit card and get an S3 bucket and toss it up there — and we’ll get the job done more quickly.’”

Exposing sensitive internal data is thus a “really easy mistake to make,” but also “easy to avoid” if the right incentives are there for developers to do so, he said.

Web app flaws

The two vulnerability types that ranked at the top in Bugcrowd’s report, in terms of frequency, are typically not as consequential — though they still can be, depending on the situation.

Ranking at No. 1 in the report was cross-site scripting, which moved up from No. 2 in the prior year’s report. Also known as XSS, cross-site scripting is a web application bug that has existed since the 2000s, but remains very common and difficult to avoid, Ellis said. The vulnerability can allow attackers to send malicious code to end users of a web application.

The increased prevalence of XSS reflects the “rapid deployment of home-grown web applications throughout 2020 and 2021,” Bugcrowd said in its report — another case of velocity resulting in corners being cut around security.

With the dramatic rise in work-from-home and digital commerce during the pandemic, “the priority for a lot of software development over the past two years has been ease of access,” Ellis said. “The problem with that is, if the customer can access it, then the bad guys probably can as well.”

At No. 2 on the vulnerability list was a type of broken access control — insecure direct object references, or IDOR. The flaw — which had ranked at No. 1 in the prior year’s report — involves the use of access permissions to do something that shouldn’t be possible. An example is accessing someone else’s banking or health care record just by entering in a different record number after you’ve logged in to the site.

“If you increment that record number, what should happen is it should say, ‘Sorry, you’re not authorized to access this.’ Or even better, a 404 error,” Ellis said. “But it doesn’t always happen like that.”


While the vulnerability in Log4j, a widely used Java logging library, was revealed outside of the timeframe of the Bugcrowd report, the vulnerability also cuts across several vulnerability types.

It’s similar in some ways to an unvalidated redirect vulnerability (No. 9 in the report) as well as to broken access control, Ellis said — but the core of the flaw is an issue with input sanitization, which is not one of the vulnerabilities on the list.

With the Log4j flaw, “the trigger was a lack of input sanitization, which is actually an injection issue. You could execute commands in a place where you shouldn’t have been able to do that,” he said.

Misaligned incentives

Ultimately, many software vulnerabilities derive from the “imperative of the developer to make the thing work,” Ellis said.

Developers are generally not measured or compensated based on making sure that what they create “doesn’t do all the stuff it shouldn’t,” he said. And that, unfortunately, is “where security vulnerabilities tend to exist.”

This dynamic is foundational to why Ellis founded Bugcrowd a decade ago, he said. The thesis from the start was to create incentives for finding vulnerabilities, given that those incentives do exist for cyber criminals, according to Ellis.

There are hopeful signs, however. In sectors including software and financial services, Bugcrowd saw a major uptick in activity in 2021 around uncovering bugs. In the software sector, payouts grew 73%. And in financial services, valid submissions to the Bugcrowd platform climbed by 82%, while payouts jumped 106%.

Financial services companies, in particular, are now starting to promote their security initiatives as a way to differentiate, Ellis said.

“We’re seeing the financial services companies that we work with use bug bounty and vulnerability disclosure as a way of saying, ‘We do take [customer] security seriously — before a breach,’” he said.

It’s another indicator that cybersecurity is being viewed less as an “insurance policy” and more as a priority that can help the business, Ellis said. “I think that’s actually a big shift for the industry, in general,” he said.

Originally appeared on: TheSpuzz