TH16125
Detected presence of software components that can access third-party application databases.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | high | None | None |
About the issueโ
Installed software stores sensitive user information in application-specific databases. For third-party applications, this sensitive information may include stored passwords, sensitive files and other user communications. These databases are typically not protected from unauthorized access for user convenience. Any encryption they might employ is easily bypassed, as the encryption keys are commonly stored alongside the data. For this reason, attackers often aim to gain access to third-party application databases and exfiltrate collected data to a remote server. While the presence of code that accesses third-party databases does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that can interact with sensitive user information. One example of acceptable use for such functions is extending third-party application functionality through natively developed plugins.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1005 - Data from Local System.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1005 - Data from Local System (External resource - Mitre ATT&CK documentation)
- Data exfiltration (External resource - Wikipedia)