Email Disclosure
- CAPEC 118
- CWE 200
- WASC 13
- OWASP PC-C7
Disclosure of email addresses on web sites can trigger the sending of large amount of spam to those addresses. Most spammers use bots to harvest email addresses from web sites specifically for this purpose. In order to identify email addresses, these applications generally look at html source files for instances of mailto: or at symbols (i.e., @).
Email addresses of individuals may also be used in social engineering attacks.
Remediation
Consider removing any email addresses that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as contact@example.com).
To reduce the quantity of spam sent to anonymous mailbox addresses, consider hiding the email address and instead providing a form that generates the email server-side, protected by a CAPTCHA if necessary.
References
Search Vulnerability
You may also see
- Internal IP Address Disclosure
- Username Disclosure
- Application Disclosure
- Email Disclosure
- Long Redirect Response
- Error Message
- Stack Trace
- Internal Path
- Not Secure Cookie
- Not Http-Only Cookie
- Sensitive Data in Query String
- Sensitive Data over HTTP
- Server Error
- Source Code Disclosure
- Information Leakage
- Web Backdoor
- Database Connection String
- Autocomplete Enabled
- Undefined Content-Type Header
- Missing X-Frame-Options Header
- Mixed Content
- Insecure iFrame
- XPath Injection
- Basic Authentication over HTTP
- Forbidden Resource
- Multiple Choices Enabled
- Apache MultiViews Enabled