Plaintext Storage in Executable
Weakness ID: 318 (Weakness Variant)Status: Draft
+ Description

Description Summary

Sensitive information should not be stored in plaintext in an executable. Attackers can reverse engineer a binary code to obtain secret data.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



+ Observed Examples
CVE-2005-1794Product stores RSA private key in a DLL and uses it to sign a certificate, allowing spoofing of servers and MITM attacks.
+ Potential Mitigations

Sensitive information should not be stored in an executable. Even if heavy fortifications are in place, sensitive data should be encrypted to prevent the risk of losing confidentiality.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base312Cleartext Storage of Sensitive Information
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERPlaintext Storage in Executable
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
37Lifting Data Embedded in Client Distributions
65Passively Sniff and Capture Application Code Bound for Authorized Client
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings