Weakness reference
CWE-524

Use of Cache Containing Sensitive Information

This weakness occurs when an application stores sensitive data passwords, tokens, personal information, etc. in a cache that is accessible to unauthorized…

01Summary

This weakness occurs when an application stores sensitive data (passwords, tokens, personal information, etc.) in a cache that is accessible to unauthorized users or processes. Unlike secure caches that are properly isolated and cleared, vulnerable caches leave sensitive information exposed to anyone who can read the cache storage — whether that's another user on the same system, a malicious process, or an attacker with local access.

02How It Happens

Caches are designed to improve performance by storing frequently accessed data in fast-access locations. However, developers sometimes cache sensitive information without considering who can read that cache. This happens when:

- Sensitive data is stored in shared memory, temporary files, or browser caches without encryption or access controls. - Cache clearing logic is missing or incomplete, leaving old sensitive data in place after it should have been discarded. - The cache is stored in a location with overly permissive file permissions or in a shared system resource. - The application assumes the cache location is private when it is actually accessible to other processes or users on the same system.

The core issue is a mismatch between the sensitivity of the data and the protection level of the storage mechanism.

03Real-World Impact

An attacker with local system access or the ability to read cache files can extract sensitive information without triggering application-level security controls. This can lead to credential theft, session hijacking, unauthorized access to user accounts, or exposure of personal data. In multi-user or shared hosting environments, one user's cached secrets may be readable by another. Even on single-user systems, malware or a compromised process can harvest cached credentials.

04Vulnerable & Fixed Patterns

Vulnerable pattern
import tempfile
import json

def cache_user_session(user_id, auth_token):
    cache_file = f"/tmp/user_cache_{user_id}.json"
    with open(cache_file, 'w') as f:
        json.dump({"user_id": user_id, "token": auth_token}, f)

def retrieve_cached_token(user_id):
    cache_file = f"/tmp/user_cache_{user_id}.json"
    with open(cache_file, 'r') as f:
        return json.load(f)["token"]

Why it's vulnerable:
The authentication token is written to a world-readable temporary file in /tmp with no encryption, no access controls, and no automatic expiration. Any process on the system can read this file and obtain the token.

Fixed pattern
import tempfile
import json
import os
from cryptography.fernet import Fernet

def cache_user_session(user_id, auth_token, encryption_key):
    cipher = Fernet(encryption_key)
    encrypted_token = cipher.encrypt(auth_token.encode())
    cache_dir = tempfile.gettempdir()
    cache_file = os.path.join(cache_dir, f"user_cache_{user_id}.json")
    
    with open(cache_file, 'w') as f:
        json.dump({"user_id": user_id, "token": encrypted_token.decode()}, f)
    os.chmod(cache_file, 0o600)  # Owner read/write only

def retrieve_cached_token(user_id, encryption_key):
    cache_file = os.path.join(tempfile.gettempdir(), f"user_cache_{user_id}.json")
    with open(cache_file, 'r') as f:
        data = json.load(f)
    cipher = Fernet(encryption_key)
    return cipher.decrypt(data["token"].encode()).decode()
Vulnerable pattern
<?php
function cache_user_credentials($username, $password) {
    $cache_file = "/tmp/user_cache_" . $username . ".txt";
    file_put_contents($cache_file, $password);
}

function get_cached_password($username) {
    $cache_file = "/tmp/user_cache_" . $username . ".txt";
    return file_get_contents($cache_file);
}
?>

Why it's vulnerable:
The password is stored in plaintext in a world-readable temporary file with no encryption, no permission restrictions, and no expiration. Any user or process on the server can read the file.

Fixed pattern
<?php
function cache_user_credentials($username, $password, $encryption_key) {
    $cache_dir = sys_get_temp_dir();
    $cache_file = $cache_dir . DIRECTORY_SEPARATOR . "user_cache_" . hash('sha256', $username) . ".txt";
    
    $encrypted = openssl_encrypt($password, 'AES-256-CBC', $encryption_key, OPENSSL_RAW_DATA);
    file_put_contents($cache_file, base64_encode($encrypted));
    chmod($cache_file, 0600);  // Owner read/write only
}

function get_cached_password($username, $encryption_key) {
    $cache_dir = sys_get_temp_dir();
    $cache_file = $cache_dir . DIRECTORY_SEPARATOR . "user_cache_" . hash('sha256', $username) . ".txt";
    
    if (!file_exists($cache_file)) return null;
    $encrypted = base64_decode(file_get_contents($cache_file));
    return openssl_decrypt($encrypted, 'AES-256-CBC', $encryption_key, OPENSSL_RAW_DATA);
}
?>

05Prevention Checklist

Encrypt sensitive data at rest
— use strong encryption (AES-256 or equivalent) for any cached credentials, tokens, or personal information.
Restrict cache file permissions
— set file permissions to 0600 (owner read/write only) or use OS-level access controls to prevent other users or processes from reading cache files.
Avoid caching sensitive data when possible
— consider whether the data truly needs to be cached, or whether it can be retrieved fresh on demand.
Implement cache expiration
— set automatic TTLs (time-to-live) on cached sensitive data and clear it explicitly when no longer needed.
Use secure cache locations
— store caches in application-specific directories with restricted permissions, not in shared system locations like /tmp.
Clear cache on logout or session end
— ensure sensitive cached data is deleted when a user logs out or a session expires.

06Signs You May Already Be Affected

Check your application's temporary directories and cache locations for plaintext credentials, tokens, or personal data. Review file permissions on cache files — if they are world-readable or group-readable, sensitive data may be exposed. Examine your code for cache writes that lack encryption or access control checks, and verify that cache clearing logic runs reliably on logout and session expiration.

07Related Recent Vulnerabilities