In my experience conducting penetration tests, I’ve observed an awkward phenomenon.
Vulnerabilities leading to information leakage have become almost commonplace. It’s as if an application doesn’t feel “legitimately launched” these days unless it has a few data exposure issues under its belt.
However, why must information leakage—a problem that should theoretically be mitigated during the development phase—always wait until a system is in production to be discovered?
During university, we churned out one course project after another, transitioning from C to Java and then to Python. Eventually, I realized that the essence of all software boils down to CRUD operations (Create, Read, Update, Delete) on a database.
The only real difference between a programmer and an average user is that one interacts with a dry SQL console and JSON interfaces, while the other clicks a mouse on a polished Graphical User Interface (GUI).
For many “pseudo-programmers” in college, seeing passwords transmitted in plaintext or ID numbers hardcoded into scripts was business as usual.
Security? Hardly anyone mentioned it. The guiding principle was: “As long as it runs, it’s fine.”
Privacy vs. Convenience: The Famous Paradox
Years ago, a certain CEO made a controversial statement:
“Chinese people are more open about privacy. If they can exchange privacy for convenience, safety, or efficiency, they are often willing to do so.”
There is some truth to this, but it is equally tragic.
Two or three years ago, while I was still a student, the local police station near my university required us to register for anti-fraud information. To my shock, the link provided led to a site using HTTP (Plaintext Transmission) without SSL encryption—yet the form required sensitive data like ID numbers.
In other words, had I submitted that data over the campus network, any administrator with access to network probes could have intercepted my sensitive information in cleartext.
In a fit of professional indignation, I called the 12345 government service hotline to complain. A few days later, the police station called me back and asked, “How do you think we should fix this? You’re the expert here.”
I realized then that many grassroots organizations don’t understand technology; they are merely “completing a task,” not “building a system.”
Consequently, the burden of information leakage ultimately falls back on the programmers.
The Blurred Boundaries of Privacy
In today’s digital landscape, registering an account is nearly impossible without a phone number and real-name authentication. Once a leak occurs, your personal identity is often exposed alongside your mobile number. “Doxing” or precision geolocation via a phone number is no longer news.
Many opt for “secondary SIMs” to mitigate risk, but even with the limit of five cards per person, it’s far from enough. If a software requires an ID upload, you can’t exactly ask the police for “a few extra identities.”
Yet, it is the weight of the law that compels internet service providers to act this way.
The Ministry of Industry and Information Technology (MIIT) requires all websites providing services within China to be filed (ICP Filing). The core purpose is traceability—ensuring that if a problem arises, a specific accountable person can be found. This necessitates real-name systems. From this perspective, software vendors have their hands tied. This is especially true for open forums; you can never predict when a user might post inappropriate content. If the individual cannot be found, the legal liability falls solely on the site operator.
This is precisely why I do not open the comments section on my own blog. It’s not a lack of desire for dialogue, but a choice for security and compliance—reducing risk for myself.
At this point, many ask:
“Isn’t an IP address the ID card of the internet? Why do you need personal info if you have the IP?”
While technically true, the total pool of IPv4 addresses is capped at roughly 4.2 billion. They cannot be mapped one-to-one to every user. Because of NAT (Network Address Translation), a single IP often hides hundreds or thousands of devices. Finding a specific person via an IP is like looking for a needle in a haystack. Real-name authentication provides far superior precision.
Furthermore—Data is Wealth.
E-commerce platforms track every click; short-video apps record every second you linger. This behavioral data forms your “User Persona.” Algorithms push content based on these preferences to keep you consuming.
The more data they harvest, the greater the profit.
The more data they harvest, the greater the profit.
Why Does Information Leakage Persist?
In my view, there are two fundamental reasons:
1. Data is an Asset: Vendors Want it, but Won’t Protect it
Data is used for profiling, analysis, and risk control. Many vendors simply dump data into databases in plaintext—no de-identification, no encryption, sometimes even using default passwords. Large corporations generally care about their reputation, but smaller vendors? There are no guarantees.
2. Weak Security Awareness Among Developers
Many small enterprises prefer fresh graduates—they are inexpensive and compliant. However, many Software Engineering programs have historically lacked systematic cybersecurity curricula. Students prioritize “making it work” over “making it secure.” When this habit follows them into the workplace, vulnerabilities are inevitable. Furthermore, when veteran programmers move into management with a “we’ve always done it this way” mindset, they dismiss security proposals as “unnecessary”—until a breach actually happens.
Let the Law be the Baseline for Security
The ultimate solution to information leakage isn’t relying on penetration testing to “patch the holes” after the fact. It requires changing the source: Awareness and Accountability.
If security awareness cannot be raised voluntarily, it must be enforced by law.
If there is a violation, there must be a penalty. A fine once is a lesson learned forever.
As the legal scholar Luo Xiang famously said:
“The law is the baseline of morality.”
Similarly, the law should be the baseline of security.
Final Thoughts
In recent years, as policies have improved, apps that excessively demand user data and permissions have been delisted. The implementation of centralized digital IDs is a sign of a maturing regulatory system. I hope that one day, enterprises will be truly constrained by law, so that “low-level vulnerabilities” like information leakage disappear entirely from penetration testing reports.
✍️ 最后也欢迎关注我的微信公众号
