Skip to content

CONCEPT Cited by 1 source

Sensitive data exposure

Definition

Sensitive data exposure is a security vulnerability in which confidential or protected information is unintentionally made accessible to parties that should not have access, creating risk of misuse or loss of trust (Source: sources/2026-04-21-figma-visibility-at-scale-sensitive-data-exposure).

Distinct from authentication bypass or credential theft — the user is legitimately authenticated, but the system returns data the user is not authorized to see, or returns fields the client should never receive at all.

Canonical failure modes

From Figma's framing + production findings:

  1. Endpoint over-returns. An API returns more fields than the client needs. Edge case: a "list files" endpoint returns per-file metadata including fields appropriate for owners but not viewers — because the response is shared across permission levels and the filter is missing.
  2. Legacy path skips a permission check. A rarely-exercised code path bypasses authorization entirely, returning resources without per-item access verification.
  3. Missing validation on a list result. A handler verifies access to the parent resource but returns a list of children without per-child checks.
  4. Forgotten field. A column added for an internal use case accidentally serializes into a public response — the classic "long-unused data field unexpectedly making its way into certain responses."
  5. Transitive leak. Data from a related resource (loaded as part of the query join) ends up in the response body without the handler intending to include it.

Why prevention alone is insufficient

Figma invested heavily in preventive controls — an internal authorization DSL (PermissionsV2), negative unit tests, E2E testing in staging and production, security review, penetration testing, bug bounty — and still chose to add a continuous-detection layer. Rationale (from the post):

"As our products and infrastructure have grown in complexity, the risk of subtle oversights or unexpected data flows has naturally increased. Even well-designed systems can produce surprises when services interact in new ways or when existing paths behave differently than expected."

Preventive measures + testing can't enumerate every edge case when services compose dynamically. Detection-in-depth catches what prevention misses. See concepts/detection-in-depth.

Detection approaches

Application-layer response sampling

Inspect a sampled fraction of outbound responses for forbidden values or unauthorized references. Canonical production instance: Figma Response Sampling (Phase 1: file identifiers; Phase 2: banned_from_clients fields tagged by FigTag).

Proxy-layer DLP

Data-loss-prevention at the proxy (Envoy or an egress gateway). Simpler to deploy but — as Figma notes — loses the authenticated user context needed for user-aware permission checks.

Static analysis

Taint-tracking / schema-driven type checks at compile time that flag sensitive fields reaching a serializer. Complementary to runtime detection; catches a different failure shape.

Relation to authorization flaws

Sensitive data exposure is often the observable symptom of an authorization flaw (IDOR, broken object-level authorization, broken function-level authorization in OWASP terms). Detecting the symptom is feasible even when the cause spans many code paths. This is the detection-over-prevention asymmetry that motivates sampling-based approaches.

Trade-offs

  • Coverage vs overhead. Sampling rate trades detection breadth against latency/resource cost. Figma runs async (non-blocking) to decouple detection latency from user-facing latency.
  • True positives vs alert fatigue. High false-positive rate destroys trust in the alerts. Dynamic allowlisting (patterns/dynamic-allowlist-for-safe-exposure) handles legitimate intentional exposure.
  • Precise vs approximate matching. Phase 1 at Figma matches on high-entropy token shape (regex-feasible). Phase 2 tracks the exact values loaded during the request via ORM callbacks to avoid coincidental matches.

Seen in

Last updated · 200 distilled / 1,178 read