## Server-Side SSN Exposure in Work Info Module Bypassed Client-Side Masking
A data exposure vulnerability in the application's work information module rendered full Social Security Numbers in the HTML Document Object Model while masking them only through client-side JavaScript. The flaw existed in the `@user.work_info.SSN` field, where complete nine-digit SSNs were embedded server-side before any client-side masking was applied. This architectural weakness meant that any user inspecting page source, disabling JavaScript, or intercepting network responses could retrieve unmasked SSNs directly from the DOM.

The vulnerability stemmed from a common but dangerous pattern: trusting client-side JavaScript to protect server-rendered sensitive data. While the application's masking logic visually obscured SSNs for normal users, it performed no server-side redaction before transmitting the full value to browsers. Line 30 of `app/views/work_info/index.html.erb` originally contained the raw `<%= @user.work_info.SSN %>` call, exposing complete SSNs to anyone with basic browser developer tools or HTTP interception capabilities.

The fix implements server-side masking, ensuring that masked SSNs arrive at the client already protected. This architectural shift eliminates the entire class of bypass vectors—source inspection, JavaScript-disabled browsing, and man-in-the-middle attacks—by redacting sensitive data before it reaches the browser. The affected view file was updated to render masked values rather than full SSNs, closing a critical exposure window in the application's view layer.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: ssn-exposure, pii-leak, client-side-masking-bypass, dom-manipulation, security-vulnerability
- **Credibility**: unverified
- **Published**: 2026-05-13 15:48:35
- **ID**: 82650
- **URL**: https://whisperx.ai/en/intel/82650