保護DataHogo
Security Encyclopedia/Privacy Best Practices
infoCWE-778

No Last Activity Display

Not showing users their account's last activity makes it harder for them to detect unauthorized access.

How It Works

When users see 'Last login: Yesterday at 9:42 PM from Chrome/Windows', they can immediately spot if something doesn't match their activity. This simple transparency feature — common in Google, Apple, and banking apps — acts as an early warning system for account compromise without requiring any additional security infrastructure.

Vulnerable Code
// BAD: account settings shows no activity history
// Settings page displays: name, email, password fields
// No last login info, no device list, no activity log
Secure Code
// GOOD: show last activity to help users detect unauthorized access
// Save on each login:
await db.sessions.create({
  userId, createdAt: new Date(),
  userAgent: req.headers['user-agent'],
  ipCountry: getCountryFromIP(req.ip)
});
// Display in settings:
// 'Last login: 2 hours ago · Chrome on Windows · United States'

Real-World Example

Google's 'Last account activity' link at the bottom of Gmail is credited by security researchers as one of the most effective account compromise detection mechanisms for regular users — because it requires no security knowledge, just pattern recognition.

How to Prevent It

  • Log login timestamp, device type, and approximate location on every authentication
  • Display the last 5 sessions in account settings with relative timestamps
  • Allow users to click 'Not you? Revoke this session' directly from the activity list
  • Send an alert email if a login occurs from a new country or unknown device

Affected Technologies

javascript

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Privacy Policy

low

Operating without a privacy policy violates GDPR, CCPA, and similar regulations — and makes users rightfully distrust your handling of their data.

CWE-16

No Terms of Service

low

Without terms of service, you have no legal basis to restrict abuse, terminate accounts, or limit your liability for user-generated content.

CWE-16

No Account Deletion

medium

Not offering account deletion violates GDPR's right to erasure and CCPA's right to delete — and is a significant privacy red flag for users.

CWE-16

No Cookie Banner

low

Setting non-essential cookies without user consent violates GDPR and ePrivacy Directive requirements for EU users.

CWE-16