Cryptographic Failure Vulnerability: Explanation and Examples

They say that he who rules the data rules the world. They also say that knowledge is power. Phrase it any way you want, one thing is certain – information is the hottest commodity these days.

Have you ever wondered why most services these days, especially online, are technically free? That’s ‘cause we’re not the customers – we’re the product.

We entrust social media platforms, online shops, and countless other websites with an abundance of personal information, and they are never satisfied. And, despite sensitive information being, well, sensitive, they’re also seldom as careful with it as they should be. That’s where cryptographic failures come into play.

Also known as sensitive data exposure, a cryptographic failure is one of the biggest security threats that companies, big and small, face today. But, before we figure out how that might happen, let’s find out what a cryptographic failure is anyway, shall we?

Cryptographic Failures: Meaning and Examples

Without bombarding you with high-tech terminology, a cryptographic failure is a security failure that occurs when a third-party entity (apps, web pages, different websites) exposes sensitive data. To be exact, it’s when that entity does so without specific intent behind it. Be it negligence, incompetence, or lapse of judgment, a cryptographic failure can have catastrophic consequences, both personal and business-wise.

Sometimes it is inadequate database protection. Other times, it’s due to misconfigurations when they bring up new datastore instances. At times, sensitive data exposure happens because of inappropriate usage of data systems.

Software flaws. Weak encryption. No encryption at all. An accidental upload to an incorrect database. There are many ways companies can and, from time to time, will expose themselves and leak sensitive information.

But let’s take a step back. What’s the deal with these types of failures anyway? And how can you prevent them? On we go.

What is Cryptographic Failure?

Originally called sensitive data exposure, a cryptographic failure occurs when a system makes sensitive data accessible to potentially malicious snoopers. It also occurs when you have a security incident that enables accidental/unlawful erasure, destruction, alteration, or unwarranted disclosure of sensitive information.

In general, cryptographic failures fall into three categories:

  • Confidentiality breach. It’s what happens when a third party is able to access confidential data or when an organization discloses such data on accident.
  • Integrity breach. This one describes a situation when sensitive data is altered, once again, without authorization and/or intent behind it.
  • Availability breach. What belongs to this category is scenarios where sensitive data is destroyed or when you lose access to it. The category covers both permanent as well as temporary data loss.

At this point, you may start wondering, “But is sensitive data the same as personal data? Or is there any difference between the two?”. A reasonable question, and also the one that we’ll discuss at once.

Personal Data vs. Sensitive Data

In short, personal data covers any information related to identified/identifiable natural (read: сonscious) individuals. Non-personal data, on the other hand, includes pieces and bits of information that have no relationship with identifiable people or that are not unique to any single individual.

Sensitive data, meanwhile, encompasses any information that does or could reveal individuals:

  • Health, biometric, and otherwise genetic materials
  • Sexual orientation, sex life, or anything along these lines
  • Racial, ethnic, and/or national origins
  • Political views
  • Ties to religious, political, and/or philosophical organizations
  • Religious and/or political beliefs
  • Trade union membership(s)
  • And more.

“So, a cryptographic failure is just another term for data breach then?”, you may ask. A reasonable question as well. But the answer’s no, not quite. Though the two do share a few similarities, there’s also a distinct difference between them.

Cryptographic Failure vs. Data Breach

Cutting straight to the chase, a data breach describes a security incident where intruders are able to access confidential information without authorization.

In this case, the attackers aim to find personally identifiable info or any other data that could provide financial gain, compromise identities, or be sold on the dark web. In other words, they’re looking to obtain data that could be classified as valuable. The goal(s) can be to steal, modify, or destroy that data altogether.

A cryptographic failure, on the other hand, is what happens when you leave data free (on a server or in a database) for anyone to see. More often than not, cryptographic failures come about when you leave configuration details unsecured online. But that’s not all.

What Leads to Cryptographic Failures

Cryptographic failures happen because organizations don’t handle certain information the way they should. At times, you can find sensitive data in plain text documents left unattended.

Of course, when sites don’t enable HTTPS security and don’t secure the connection via SSL, the web pages and apps that store sensitive information will always be vulnerable.

Apart from that, when you store sensitive data in an insecure database, you can also easily expose it to intruders. To elaborate, an insecure database is any database that can fall victim to attacks like SQL injections, uses a weak cryptographic algorithm/key, doesn’t implement hashed and salted password practices, and/or stores data in a multitude of other insecure ways.

As you know, SQL injection attacks are code injection techniques that let hackers interfere with the queries that apps make to their respective databases. You can use this technique to ‘appropriate’ data from the infected database through the backend.

By the same token, when you store hashed passwords without salt (read: when they’re not under full cryptography protection, making them easy to unencrypt), passwords can be exposed as well. Hashed and salted passwords, on the other hand, are converted into word puzzles during storage, puzzles that only the server they’re stored on knows how to interpret. But when organizations use second-rate hashing, hackers can easily read these passwords during a cryptographic failure.

On that note, let’s look at a few examples of cryptographic failure.

Cryptographic Failures Examples

Cryptographic failures have sent countless websites and apps tumbling to the ground. The victims are too many to count, but these are the most prominent ones among them:

The Exactis Debacle

Less than 4 years ago, a very small (<10 employees) marketing and data aggregation firm called Exactis accidentally exposed its database that contained around 340 million individual records. Be it experience, negligence, or ignorance, the people in charge had put the database on a publicly accessible server. What that means is that anyone (anyone who knew where to look, that is) could access this data.

The exposed records included names, phone numbers, emails, and other sensitive data of millions of US citizens. And because this information was intended for highly targeted marketing purposes, it was much more detailed and personal than what people usually expose in an everyday data breach.

The Facebook Incident

Yes, it’s the Facebook we’re talking about here. In the sweet, pre-COVID 2019, it was revealed that over 540 million records related to Facebook users were accidentally leaked by two third-party Facebook app developers.

These apps, without any malicious intent, posted the records in very much plain sight on Amazon’s cloud service. The exposed records included Facebook users’ account names, IDs, friends, photos, location check-ins, and passwords.

Unfortunately, that wasn’t the first nor the last time Facebook had exposed sensitive information. A month prior, Facebook found that the passwords of about 600 million users were stored internally in plain text for months. A few months before that, the same book of faces revealed that data on millions of users had been harvested by data science company Cambridge Analytica.

How to Prevent a Cryptographic Failure

Catalog data. To protect the clients’ data, organizations should, nay, must make sure that they keep a close eye on all of the data they store within the system(s). To add more, they should also perform regular audits. This way, they will always be able to keep track of the owners, locations, security, as well as governance measures that are enabled on the stored data.

Assess risks. To ensure they can protect data, organizations need to know what risks the stored data might face and allocate their budgets and resources to mitigate these risks accordingly. The more valuable the data is, the higher the chance that it might incur harm. Even the smallest amounts of sensitive data can have tremendous consequences for the data subjects.

Ensure appropriate security. To make sure they’re able to avoid a cryptographic failure and limit the impact of cryptographic failures that it might have on the associated data subjects, organizations have to install sufficient security controls.

Take immediate action. To guarantee an immediate response to a cryptographic failure, organizations must put in place effective breach response mechanisms.

Though sizable organizations are more likely to fall victim to sensitive data exposure, individuals can be vulnerable to them too. The good news is that there are multiple security measures you can take to prevent it:

  • Make sure that each online account you manage includes a unique and complex-enough password. Of course, it may feel difficult to keep track of a seemingly never-ending stream of these passwords, so we would recommend using an account manager.
  • Keep a close eye on your financial accounts (including budget and banking apps). Check these accounts as frequently as possible to spot unusual/unfamiliar activity asap. Some companies provide activity alerts (usually via text and/or email). You can’t go wrong using them.
  • Keep an equally close eye on that credit report of yours. Again, as long as you do that on a frequent enough basis, you’ll be able to find out should anyone attempt to open new credit/debit card(s) or any other account in your name. In fact, you’re entitled to one free credit report per year from every major credit reporting agency. Find out more at annualcreditreport.com.
  • Take immediate action. Not unlike big-time organizations, everyday people can also benefit from taking immediate action in case of sensitive data exposure. When you spot suspicious activity, contact the involved party (usually a financial institution) right away. The same applies to situations when someone steals your information in a data breach.
  • Use secure URLs alone. You’re far less likely to expose sensitive data when you visit well-known websites that you can trust. In general, these sites begin with https://, the “s” part being the key figure. This is twice as important when you enter financial information (credit card number, validation code, etc).
  • Employ high-level security software. Equipped with a robust software suite that covers malware and viruses, you should be able to stand strong against most threats, including data exposure.
  • Look into identity theft and credit monitoring services. The mess that stolen identities can cause can take months to fix. With that in mind, we would recommend looking into identity theft protection and credit monitoring services. Using these, you’ll be less vulnerable to data breaches and cryptographic failures.

All Things Considered

Cryptographic failures rank #2 on OWASP’s top 10 web application security risks, so they’re no joke. Companies big and small have fallen victim to sensitive data exposure. And the fact that the culprit behind these failures is the companies’ own negligence doesn’t make it hurt any less. Having said that, assuming you learn from others’ mistakes and err on the side of caution, there’s a pretty good chance you’ll be able to avoid this pitfall.

Safeguard your data: The ultimate cryptographic failure prevention cheat sheet

Please enter your business email isn′t a business email
Cryptographic failure lead magnet