Web Application Security
Social Security Number in Hidden field Nov 23 2014 08:12PM
Jyotiranjan Acharya (jyotiranjan121 gmail com) (1 replies)
Re: Social Security Number in Hidden field Nov 23 2014 10:28PM
Robin Wood (robin digi ninja) (1 replies)
Re: Social Security Number in Hidden field Nov 23 2014 11:38PM
snipe (snipe snipe net) (1 replies)
Re: Social Security Number in Hidden field Nov 23 2014 11:54PM
Abhay Rana (capt n3m0 gmail com) (2 replies)
RE: Social Security Number in Hidden field Nov 24 2014 03:17PM
Jeffory Atkinson (jatkinson zelvin com) (1 replies)
RE: [EXT] RE: Social Security Number in Hidden field Nov 24 2014 08:58PM
Hambleton, Robert F (RHamble citgo com)
Re: Social Security Number in Hidden field Nov 24 2014 04:31AM
Lorne Kates (lkates gmail com) (1 replies)
Re: Social Security Number in Hidden field Nov 24 2014 07:11AM
Antti Virtanen (Antti Virtanen solita fi)
For a similar reason I have also implemented such a feature once. The

customer was fully aware that the information is not really safe, but they

wanted to prevent casual observer from seeing such information. In modern

office environments the observer doesnâ??t need to be in close proximity and

I think this is a valid concern.

In my case the sensitive fields were â??encrypted", but with a weak

algorithm. Vulnerable to a malicious admin or MITM, but this was the least

worry in such scenario.

--

Antti Virtanen

Software Architect

On 24/11/14 06:31, "Lorne Kates" <lkates (at) gmail (dot) com [email concealed]> wrote:

>I once coded an admin page like this. Admins had to have access to

>SSNs (or SIN, since it was a Canadian company) of applicants. But

>they didn't want the SSN on the screen all the time. So a button was

>added that de-masked the SSN when clicked.

>

>The company was fully aware that visually hiding the SSN still meant

>the information was on the page, in the HTTP request and response, in

>View Source, etc. The only thing they were worried about was casual

>shoulder surfers seeing an SSN that they shouldn't. The only time

>someone would reveal it was if it was needed, and only then if they

>were the only ones looking at the screen.

>

>The field was also editable. It was blank when filling out a new

>form, and had a masked SSN otherwise (but if revealed, could be

>edited)

>

>

>

>This list is sponsored by Cenzic

>--------------------------------------

>Let Us Hack You. Before Hackers Do!

>It's Finally Here - The Cenzic Website HealthCheck. FREE.

>Request Yours Now!

>http://www.cenzic.com/2009HClaunch_Securityfocus

>--------------------------------------

>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus