CWE-656: Reliance on Security Through Obscurity

Description

The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.

Submission Date :

Jan. 18, 2008, midnight

Modification Date :

2023-10-26 00:00:00+00:00

Organization :

Purdue University
Extended Description

This reliance on "security through obscurity" can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that obscurity can be one small part of defense in depth, since it can create more work for an attacker; however, it is a significant risk if used as the primary means of protection.

Example Vulnerable Codes

Example - 1

The design of TCP relies on the secrecy of Initial Sequence Numbers (ISNs), as originally covered in CVE-1999-0077 [REF-542]. If ISNs can be guessed (due to predictability, CWE-330) or sniffed (due to lack of encryption during transmission, CWE-312), then an attacker can hijack or spoof connections. Many TCP implementations have had variations of this problem over the years, including CVE-2004-0641, CVE-2002-1463, CVE-2001-0751, CVE-2001-0328, CVE-2001-0288, CVE-2001-0163, CVE-2001-0162, CVE-2000-0916, and CVE-2000-0328.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-259: Use of Hard-coded Password
Go to
CWE-321: Use of Hard-coded Cryptographic Key
Go to
CWE-472: External Control of Assumed-Immutable Web Parameter
Go to
CWE-603: Use of Client-Side Authentication
Go to
CWE-657: Violation of Secure Design Principles
Go to
CWE-693: Protection Mechanism Failure
Go to

Visit http://cwe.mitre.org/ for more details.