testers.ai

Privacy Violations Demonstration

Violations Compliant Examples About

⚠️ Important Notice

This page contains intentional privacy violations for testing and educational purposes only. These examples demonstrate common privacy mistakes that should NEVER be implemented in production code. Always follow privacy regulations (GDPR, HIPAA, CCPA) and security best practices.

Privacy Violations

The following examples demonstrate common privacy violations:

1. Passwords Visible in HTML (Not Starred)

Passwords should never be displayed in plain text in HTML:

<input type="text" name="password" value="MySecretPassword123!"> <!-- VIOLATION: Password visible in HTML -->

Current password: MySecretPassword123!

2. User Information Logged to Console

User data should never be logged to browser console in production:

console.log("User login:", { email: "john.doe@example.com", password: "password123", ssn: "123-45-6789", creditCard: "4532-1234-5678-9010" });

3. User Information Sent in URL Parameters

Sensitive data should never be passed in URL query strings:

<a href="profile.html?email=john.doe@example.com&ssn=123-45-6789&dob=1985-03-15"> View Profile </a>

View Profile (VIOLATION - PII in URL)

4. Error Messages Revealing PII/Passwords

Error messages should not expose sensitive information:

Error: Login failed for user john.doe@example.com with password "MySecretPassword123!". Account locked. SSN: 123-45-6789. Please contact support at john.doe@example.com.

5. HIPAA Violations - Patient Information Exposed

Protected Health Information (PHI) should never be displayed without proper authorization:

Patient Record (VIOLATION - No Authorization Check)

Name: Jane Smith

DOB: 1985-03-15

SSN: 123-45-6789

Medical Record Number: MRN-123456

Diagnosis: Type 2 Diabetes, Hypertension

Medications: Metformin 500mg, Lisinopril 10mg

Address: 456 Health St, Medical City, ST 54321

Phone: (555) 123-4567

Insurance ID: INS-987654321

Last Visit: 2024-12-15 - Blood pressure: 140/90, Weight: 180 lbs

6. GDPR Violations - Personal Data in Comments

Personal data should never be stored in HTML comments or source code:

<!-- User: john.doe@example.com, IP: 192.168.1.100, Location: New York, NY --> <!-- Session ID: abc123xyz, User Agent: Mozilla/5.0..., Cookie: tracking_id=12345 -->

7. Data Sent to Third-Party Services Without Consent

User data should not be sent to analytics or third-party services without explicit consent:

// Sending PII to analytics without consent analytics.track('user_signup', { email: 'john.doe@example.com', name: 'John Doe', phone: '555-123-4567', address: '123 Main St, Anytown, ST 12345' });

8. Session Data Exposed in Local Storage

Sensitive session data should not be stored in localStorage or sessionStorage:

localStorage.setItem('user', JSON.stringify({ email: 'john.doe@example.com', password: 'MySecretPassword123!', ssn: '123-45-6789', creditCard: '4532-1234-5678-9010' }));

9. Hidden Form Fields with Sensitive Data

Sensitive data should never be stored in hidden form fields:

View page source or inspect form to see hidden fields

10. API Responses Exposing Sensitive Data

API responses should not return more data than necessary:

{ "user": { "id": 12345, "email": "john.doe@example.com", "password": "MySecretPassword123!", "ssn": "123-45-6789", "creditCard": "4532-1234-5678-9010", "dob": "1985-03-15", "address": "123 Main St, Anytown, ST 12345", "phone": "555-123-4567", "internalNotes": "VIP customer, high risk", "adminAccess": true } }

Compliant Examples

The following examples demonstrate proper privacy practices:

1. Passwords Properly Hidden

Passwords should use type="password" and never be displayed:

✓ Password is masked and not visible in HTML

2. Secure Error Messages

Error messages should not reveal sensitive information:

Error: Invalid credentials. Please try again or reset your password.

✓ Generic error message that doesn't reveal user existence or details

3. Secure Data Transmission

Use POST requests with HTTPS for sensitive data:

// Compliant: POST request over HTTPS fetch('/api/login', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ email, password }) });

4. HIPAA Compliant - Authorization Check

Patient information should only be displayed after proper authorization:

Patient Record (Compliant - Authorization Required)

Status: ✓ Authorized access verified

Access Level: Physician

Patient ID: [REDACTED]

Last Visit: [REDACTED]

Full patient details available after additional authentication

5. GDPR Compliant - Data Minimization

Only collect and display necessary data:

// Compliant: Only return necessary user data { "user": { "id": 12345, "displayName": "John D.", "role": "user" } }

6. Secure Session Management

Use secure, HTTP-only cookies for session management:

// Compliant: Secure session cookie Set-Cookie: sessionId=abc123xyz; HttpOnly; Secure; SameSite=Strict

7. Consent Management

Obtain explicit consent before collecting or sharing data:

✓ Explicit consent required before data collection

8. Data Encryption

Sensitive data should be encrypted at rest and in transit:

// Compliant: Encrypted data storage const encrypted = encrypt(userData, encryptionKey); database.store(encrypted);

About This Page

This page is designed for:

Remember: Never implement these violations in production code. Always follow privacy regulations and security best practices.