CWE-360: Trust of System Event Data

Description

Security based on event locations are insecure and can be spoofed.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-10-26 00:00:00+00:00

Organization :

MITRE

Extended Description

Events are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source. Any application, in Windows, on a given desktop can send a message to any window on the same desktop. There is no authentication framework for these messages. Therefore, any message can be used to manipulate any process on the desktop if the process does not check the validity and safeness of those messages.

Example Vulnerable Codes

Example - 1

This example code prints out secret information when an authorized user activates a button:

System.out.println("print out secret information");if (e.getSource() == button) {}public void actionPerformed(ActionEvent e) {}

This code does not attempt to prevent unauthorized users from activating the button. Even if the button is rendered non-functional to unauthorized users in the application UI, an attacker can easily send a false button press event to the application window and expose the secret information.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-345: Insufficient Verification of Data Authenticity

Go to

CWE-422: Unprotected Windows Messaging Channel ('Shatter')

Go to

Visit http://cwe.mitre.org/ for more details.