Soft Deletion of Resources - [Privacy Violation]
![Soft Deletion of Resources - [Privacy Violation]](/content/images/size/w960/2023/10/username.png)
Introduction
Soft deletion is the process of showing that an entry is removed but not actually removed from the databases. Is it GDPR compliant? No. As per GDPR (General Data Protection Regulation), unauthorized access and unlawful processing of personal data protection must be there.
I am Inderjeet Singh aka encodedguy, and today, I will describe how soft deletion works, why it's a bad idea for developers and what's in it for security people.
Table of Contents:
- Soft Deletion
- Why it's a bad idea?
- Security
- Finding Soft Deletion Vulnerabilities
Soft Deletion
How is it possible to show that my passport is not on the table but it's still there? In reality, it's not possible, but in computers (a world of illusion), it can be happen.
Developers while creating databases add a boolean field is_deleted for every record. When a user deletes some record from a table, the record's is_deleted value is set to true but the record is not actually removed from DB.
UPDATE users_passports SET is_deleted=true WHERE user_id =req.user.ID;
When a user sees the same records in the application, records won't appear.
SELECT * FROM users_passports WHERE (is_deleted=false & user_id=req.user.ID)
Developers use it for data collection, processing, and for analytics purposes to analyze user data.
Why it's a bad idea?
- Extra storage space is required because resources are never going to be hard deleted, and one extra field
is_deletedis required in the table. - It's not GDPR compliant. User have deleted their personal data but still it's present in the databases.
Security?
Since, soft deletion doesn't care about personal data protection, security researchers can report soft deletion vulnerabilities in pentests or bug bounty engagements. Hackerone submissions and Bugcrowd VRT have options for privacy related bugs.
Finding Soft Deletion Vulnerabilities
Depending on the application, way to find soft deletion could differ. Common idea is to delete something and find a way to access this resource after deletion via API endpoints or via other referenced table.
RestAPI
GET /api/v2/passports/<UUID-A>: 200 OK with the passport data.DELETE /api/v2/passports/<UUID-A>:204 No Contentwith passport data in response body.GET /api/v2/passports/<UUID-A>:404 Not Found.- Hit the
DELETEendpoint once again with same UUID. DELETE /api/v2/passports/<UUID-A>:204 No Contentwith same passport data in response body.
This shows that GET endpoint for fetching password data is not responding, but we can verify using DELETE endpoint that data is not hard deleted.
GraphQL
query getUserPassport(){fields}: 200 OK with the passport data.mutation deleteUserPassport("passport":"<UUID-A>"): 204 No Content with passport data in response body.query getUserPassport(){fields}: 404 Not Found.- Hit the delete mutation once again with same UUID.
mutation deleteUserPassport("passport":"<UUID-A>"): 204 No Content with same passport data in response body.
Others
- Delete Profile Picture.
- Is the profile picture's CDN URL still accessible? If yes, privacy violated.
- Delete user uploaded data (videos, attachments, etc.)
- Are files still accessible? If yes, privacy violated.
Conclusion
Soft deletion method is used by businesses for data collection and analytics purposes and it's not GDPR compliant. If you ever counter, such soft deletion scenario while deletion, just click on Submit a Bug Report.
Thank you for reading!
Author: Inderjeet Singh
Twitter: twitter.com/3nc0d3dGuY