On Privacy Weaknesses and Vulnerabilities in Software Systems

TL;DR

This paper reveals significant gaps in existing vulnerability databases regarding privacy weaknesses, introduces new privacy-specific weaknesses, and emphasizes the need for comprehensive privacy vulnerability coverage in software security.

Contribution

The study identifies the limited coverage of privacy vulnerabilities in CWE and CVE, and proposes 11 new privacy weaknesses to enhance these systems.

Findings

Only 4.45% of CWE and 0.1% of CVE are privacy-related.

Existing systems cover few privacy threat areas.

11 new privacy weaknesses are proposed.

Abstract

In this digital era, our privacy is under constant threat as our personal data and traceable online/offline activities are frequently collected, processed and transferred by many software applications. Privacy attacks are often formed by exploiting vulnerabilities found in those software applications. The Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) systems are currently the main sources that software engineers rely on for understanding and preventing publicly disclosed software vulnerabilities. However, our study on all 922 weaknesses in the CWE and 156,537 vulnerabilities registered in the CVE to date has found a very small coverage of privacy-related vulnerabilities in both systems, only 4.45\% in CWE and 0.1\% in CVE. These also cover only a small number of areas of privacy threats that have been raised in existing privacy software engineering research, privacy regulations and frameworks, and relevant reputable organisations. The actionable insights generated from our study led to the introduction of 11 new common privacy weaknesses to supplement the CWE system, making it become a source for both security and privacy vulnerabilities.