E-Arogya

Sensitive Information Disclosure (Repeated)
observation : Repeated
CWE : CEW-200
Description :
Information disclosure, also known as information leakage, is when a website
unintentionally reveals sensitive information to its users. Depending on the context,
websites may leak all kinds of information to a potential attacker, including: (a) Data
about other users, such as usernames or financial information (b) Sensitive commercial
or business data (c) Technical details about the website and its infrastructure
Affected Path(s) :
https://his-patient-management-service.satragroup.in/patientById/45 *-Applicable to
entire application
Impact :
The dangers of leaking sensitive user or business data are fairly obvious, but disclosing
technical information can sometimes be just as serious. Although some of this
information will be of limited use, it can potentially be a starting point for exposing an
additional attack surface, which may contain other interesting vulnerabilities.
Evidence/Proof Of Concept :
Step 1: Access the URL "https://his-patient-managementservice.satragroup.in/patientById/45" and it was observed that sensitive information like
"Aadhar numbers" were disclosed in Plain text as shown in below screenshot.

Recommendation :
It is recommended not to disclose any sensitive information to the end user. Incase of
aadhaar: It is recommended to use Aadhaar vault service to store aadhaar numbers
securely as per UIDAI guidelines. Mask Aadhaar numbers and display only last 4 digits.