1. Home
  2. Web App Vulnerabilities
  3. How to remediate – Disclosed Hong Kong Identity Number
Searching...

How to remediate – Disclosed Hong Kong Identity Number

Contents

1. Introduction

Disclosed Hong Kong Identity Number refers to the unintentional exposure of a Hong Kong Identity Number (HKID number) through a web application response. This is a personally identifiable information (PII) leak that can lead to identity theft and fraud. Systems affected are typically those processing or displaying HKID numbers, such as government portals, financial services, or any application handling citizen data. A successful exposure could compromise the confidentiality of individuals’ personal information.

2. Technical Explanation

The vulnerability occurs when an HKID number is present in a web response without proper protection. This can happen due to insufficient input validation, improper data handling, or accidental inclusion during development. An attacker could exploit this by simply accessing the affected page and retrieving the exposed HKID number. The precondition for exploitation is access to the vulnerable webpage. CWE-200 (Information Leakage) applies here. For example, an attacker might request a user profile page that inadvertently includes their HKID number in the HTML source code.

  • Root cause: Unprotected HKID numbers within web application responses.
  • Exploit mechanism: An attacker accesses the affected webpage and retrieves the exposed HKID number directly from the response.
  • Scope: Web applications processing or displaying Hong Kong Identity Numbers.

3. Detection and Assessment

To confirm vulnerability, first inspect web responses for potential HKID numbers. A thorough method involves reviewing application code and data flows to identify where HKID numbers are handled.

  • Quick checks: Use browser developer tools (Inspect Element) to view the page source and search for patterns matching a valid HKID number format (e.g., ‘Xxxxxxxxx(x)’).
  • Scanning: Static Application Security Testing (SAST) tools can identify hardcoded or exposed sensitive data, but may produce false positives.
  • Logs and evidence: Review web server access logs for requests to affected pages. Look for unusual parameters or responses containing potential HKID numbers.
grep -i "Xxxxxxxxx(x)" /var/log/apache2/access.log

4. Solution / Remediation Steps

The following steps outline how to fix the issue. Only apply these steps to systems where an HKID number has been identified in a response.

4.1 Preparation

  • Ensure you have access to the application’s source code or configuration files. A roll back plan involves restoring the backed-up code/configuration.
  • Change windows may be required for production systems; approval from security and application owners is recommended.

4.2 Implementation

  1. Step 1: Examine the identified HKID number within the response to confirm its validity.
  2. Step 2: If a valid HKID number is present, remove it entirely from the response.
  3. Step 3: Alternatively, mask the HKID number so that only a few digits are visible (e.g., _*****123*****_).
  4. Step 4: Deploy the updated code or configuration to the production environment.

4.3 Config or Code Example

Before

<p>Your HKID number is: X123456789(0)</p>

After

<p>Your HKID number is: _*****123*****_</p>

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue.

  • Least privilege: Limit access to systems and data containing sensitive information like HKID numbers.
  • Input validation: Validate all user inputs to ensure they do not contain unexpected or malicious data.
  • Data masking: Mask sensitive data when it is not needed in its entirety, such as displaying only the last few digits of an HKID number.

4.5 Automation (Optional)

Automation scripts can be used to scan code repositories for exposed sensitive information. This example uses `grep` but more sophisticated tools are recommended.

#!/bin/bash
find /path/to/code -type f -name "*.php" | xargs grep -i "Xxxxxxxxx(x)"

5. Verification / Validation

Confirm the fix by checking that the HKID number is no longer exposed in web responses. Re-test the earlier detection method to verify the issue has been resolved.

  • Post-fix check: Use browser developer tools (Inspect Element) and search for the original HKID number pattern. The pattern should not be present in the response.
  • Re-test: Repeat the quick check from Section 3; no matches should be found.
  • Smoke test: Verify that other application functionalities, such as user login and profile updates, are still working correctly.
  • Monitoring: Implement a log query to alert on any responses containing potential HKID number patterns.
grep -i "Xxxxxxxxx(x)" /var/log/apache2/access.log #Expect no output

6. Preventive Measures and Monitoring

Update security baselines to include checks for exposed sensitive data. Add automated scans in CI/CD pipelines.

  • Baselines: Update security configuration baselines (e.g., CIS benchmarks) to include rules against exposing PII like HKID numbers.
  • Asset and patch process: Establish a regular review cycle for application configurations and code changes to identify potential vulnerabilities.

7. Risks, Side Effects, and Roll Back

  • Risk or side effect 1: Removing an HKID number could break a feature if it is required elsewhere in the system.
  • Risk or side effect 2: Masking might not be sufficient for all security requirements; complete removal may be necessary.
  • Roll back: Restore the backed-up application code and configuration to revert the changes.

8. References and Resources

  • Vendor advisory or bulletin: N/A – This is a general vulnerability type, not specific to one vendor.
  • NVD or CVE entry: https://cwe.mitre.org/data/definitions/200 (CWE-200 Information Leakage)
  • Product or platform documentation relevant to the fix: N/A – Depends on the specific application and technology used.
Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles