Information disclosure is a security weakness where an application or system reveals data that should remain confidential. This exposed information might include personal data, internal documents, access tokens, API keys, stack traces, configuration files, software versions, or details about the internal architecture.
Some disclosures happen directly through broken authorisation, verbose error handling or API responses that return more data than intended. Others examples can include debugging endpoints, publicly accessible cloud storage, web directory listings, or other metadata that helps an attacker understand the environment.
Leakage of customer data can trigger regulatory, contractual, and reputational consequences, whilst technical details can materially reduce the work an attacker needs to do to pursue a compromise by helping them identify vulnerable components, authenticate to other services, or construct reliable exploit chains.
A hidden admin endpoint found in a client-side response, a session token exposed in a URL, or a stack trace revealing filesystem paths can all shorten the route to a breach even though they are minor in isolation. These issues are also often missed internally because the data exposure may appear normal to someone who understands the system, but it can be a critical clue for an attacker who is trying to piece together how the application works and where the weaknesses are.
This is a common category in both web application penetration testing and API penetration testing , where manual review is needed to identify what sensitive information is exposed and why it matters in context.