1. Home
  2. CWE Database
  3. CWE-360
Base · Medium

CWE-360: Trust of System Event Data

Security based on event locations are insecure and can be spoofed.

CWE-360 · Base Level ·1 CVEs ·1 Mitigations

Description

Security based on event locations are insecure and can be spoofed.

Events are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source. Any application, in Windows, on a given desktop can send a message to any window on the same desktop. There is no authentication framework for these messages. Therefore, any message can be used to manipulate any process on the desktop if the process does not check the validity and safeness of those messages.

Potential Impact

Integrity, Confidentiality, Availability, Access Control

Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands

Demonstrative Examples

This example code prints out secret information when an authorized user activates a button:
Bad
public void actionPerformed(ActionEvent e) {if (e.getSource() == button) {System.out.println("print out secret information");}}
This code does not attempt to prevent unauthorized users from activating the button. Even if the button is rendered non-functional to unauthorized users in the application UI, an attacker can easily send a false button press event to the application window and expose the secret information.

Mitigations & Prevention

Architecture and Design

Never trust or rely any of the information in an Event for security.

Real-World CVE Examples

CVE IDDescription
CVE-2004-0213Attacker uses Shatter attack to bypass GUI-enforced protection for CVE-2003-0908.

CWE-345: Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid d...

Taxonomy Mappings

  • CLASP: — Trust of system event data
  • Software Fault Patterns: SFP29 — Faulty endpoint authentication

Frequently Asked Questions

What is CWE-360?

CWE-360 (Trust of System Event Data) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. Security based on event locations are insecure and can be spoofed.

How can CWE-360 be exploited?

Attackers can exploit CWE-360 (Trust of System Event Data) to gain privileges or assume identity, execute unauthorized code or commands. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-360?

Key mitigations include: Never trust or rely any of the information in an Event for security.

What is the severity of CWE-360?

CWE-360 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.