WebApp Sec mailing list archives
Re: Social Security Number in Hidden field
From: Lorne Kates <lkates () gmail com>
Date: Sun, 23 Nov 2014 23:31:32 -0500
I once coded an admin page like this. Admins had to have access to SSNs (or SIN, since it was a Canadian company) of applicants. But they didn't want the SSN on the screen all the time. So a button was added that de-masked the SSN when clicked. The company was fully aware that visually hiding the SSN still meant the information was on the page, in the HTTP request and response, in View Source, etc. The only thing they were worried about was casual shoulder surfers seeing an SSN that they shouldn't. The only time someone would reveal it was if it was needed, and only then if they were the only ones looking at the screen. The field was also editable. It was blank when filling out a new form, and had a masked SSN otherwise (but if revealed, could be edited) This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Social Security Number in Hidden field Jyotiranjan Acharya (Nov 23)
- Re: Social Security Number in Hidden field Robin Wood (Nov 23)
- Re: Social Security Number in Hidden field snipe (Nov 23)
- Re: Social Security Number in Hidden field Abhay Rana (Nov 23)
- Re: Social Security Number in Hidden field Lorne Kates (Nov 23)
- Re: Social Security Number in Hidden field Antti Virtanen (Nov 24)
- RE: Social Security Number in Hidden field Jeffory Atkinson (Nov 24)
- RE: [EXT] RE: Social Security Number in Hidden field Hambleton, Robert F (Nov 24)
- Re: Social Security Number in Hidden field snipe (Nov 23)
- Re: Social Security Number in Hidden field Robin Wood (Nov 23)