Information leakage is a blanket term for vulnerabilities that disclose either something about the system or some of the application data to unauthorized users. Information leak vulnerabilities result when application code sends data to the user that the user is not authorized to receive. Most information leak vulnerabilities disclose something about the system and this helps the attacker exploit additional vulnerabilities. Some information leaks disclose application data and in that case the attack is usually after the data itself. Sometimes the disclosed data might include authentication credentials, which could be leveraged to take over users’ accounts or the application. All application types are affected by information leak vulnerabilities.
There are two main types of information leakage: system information leaks and application data leaks.
System information leaks can be used by attackers to exploit other vulnerabilities, if other vulnerabilities are present. By itself, a system information leak doesn't give an attacker any additional abilities. System information leaks have to be combined with other vulnerabilities to result in a compromise. For example, the operating system used by the application server might be outdated and vulnerable, but the attacker won't know that until the application tells them that the server is outdated. At that point, the attacker can use an exploit targeting the server operating system to compromise the application.
Application data leaks result in the attacker gaining unauthorized access to the data.
To prevent system information leaks, use simple error messages and harden the server.
To check for adequate protection against system information leaks, verify that simple error messages are used and the server is hardened.