Create Shared content: Make impacts consistents across messenger secrets (#2950)

## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)

---------

Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>

rules/S6688/secrets/rule.adoc

@@ -6,21 +6,25 @@ include::../../../shared_content/secrets/rationale.adoc[]
 
 === What is the potential impact?
 
-A Facebook application secret key is a unique authentication token assigned to a
-Facebook application. It is used to authenticate and authorize the application
-to access Facebook's APIs and services. This key is required to perform actions
-on Facebook API, such as retrieving user data, posting on behalf of users, or
-accessing various Facebook features.
+A Facebook application secret key is a unique authentication token assigned to
+a Facebook application. It is used to authenticate and authorize the
+application to access Facebook's APIs and services, such as:
 
-If a Facebook application secret key leaks to an unintended audience, it can
-have serious security-related consequences both for the associated Facebook
-application and its users. Especially, attackers knowing an application's secret
-key will be able to access users' data that the application has been granted
-access to.
+* retrieving user data
+* posting on behalf of users
+* accessing various Facebook features
 
-This can represent a severe confidentiality loss for Personally Identifiable
-Information. This might be against national regulatory requirements in some
-countries.
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[]
+
+:secret_type: secret
+
+
+include::../../../shared_content/secrets/impact/phishing.adoc[]
+
+include::../../../shared_content/secrets/impact/malware_distribution.adoc[]
 
 == How to fix it
 

rules/S6695/secrets/rule.adoc

@@ -9,22 +9,19 @@ include::../../../shared_content/secrets/rationale.adoc[]
 WeChat application keys are used for authentication and authorization purposes
 when integrating third-party applications with the WeChat platform. 
 
-If a WeChat app key were to leak to an unintended audience, it could have severe
-consequences for both the app developer and the app users. The unauthorized
-individuals or malicious actors who gain access to the app key would have the
-potential to exploit it in various ways.
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
 
-One of the primary risks is the unauthorized access to sensitive user data
-associated with the WeChat app. This could include personal information, chat
-logs, and other private data that users have shared on the platform. The leaked
-app key could provide a gateway for unauthorized individuals to access and
-misuse this data, compromising the privacy and security of WeChat users.
+include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[]
 
-Another significant concern is the potential for impersonation and unauthorized
-actions. With the leaked app key, malicious actors could impersonate the app and
-perform actions on behalf of the app without proper authorization. This could
-lead to various security breaches, such as sending spam messages, spreading
-malware, or conducting phishing attacks on unsuspecting WeChat users.
+
+:secret_type: secret
+
+include::../../../shared_content/secrets/impact/phishing.adoc[]
+
+include::../../../shared_content/secrets/impact/malware_distribution.adoc[]
+
+==== WeChat exploitation
 
 Furthermore, the leaked app key could enable unauthorized parties to manipulate
 or disrupt the functionality of the WeChat app. They could tamper with app

rules/S6701/secrets/rule.adoc

@@ -11,11 +11,17 @@ the Telegram Bot API. These keys are essentially access tokens that allow the
 bot to send and receive messages, manage groups and channels, and perform other
 actions on behalf of the bot.
 
-If a Telegram bot key is accidentally exposed to an unintended audience, the
-primary concern is that unauthorized individuals may gain access to the bot's
-functionalities and data. This could result in misuse or abuse of the bot's
-capabilities. For instance, unauthorized users could send unsolicited
-messages, spam users, or engage in other disruptive activities using the bot.
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[]
+
+:secret_type: secret
+
+
+include::../../../shared_content/secrets/impact/phishing.adoc[]
+
+include::../../../shared_content/secrets/impact/malware_distribution.adoc[]
 
 == How to fix it
 

rules/S6708/secrets/rule.adoc

@@ -6,31 +6,19 @@ include::../../../shared_content/secrets/rationale.adoc[]
 
 === What is the potential impact?
 
-In the case of Discord, a webhook URL allows access to a channel and the
-consequences depend on what is specified in the `Bot Permissions`.
+The Discord webhook URL grants access to a channel in your server, represented by
+a bot. A plethora of permissions can be specified in the `Bot Permissions` pane.
 
 Below are some real-world scenarios that illustrate some impacts of an attacker
-exploiting the vulnerability.
+exploiting the secret.
 
-==== Identity spoofing
+include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[]
 
-Using the webhook URL, attackers can impersonate you or your bot, send messages
-on your behalf or perform other actions that could disrupt the integrity of
-your server.
+:secret_type: webhook
 
-==== Phishing
+include::../../../shared_content/secrets/impact/phishing.adoc[]
 
-An attacker can use this webhook to offer users links to a malicious
-domain controlled by the attacker. From here, an attacker can intercept the
-user’s credentials, bypass multi-factor authentication (MFA), and take over the
-user’s account on the trusted site.
-
-==== Malware distribution
-
-In addition, malware can be stored and distributed, both to Discord users and
-other potential targets, as Discord is often used for storage. +
-It is important to note that this leak can lead
-to full system compromises in the worst-case scenario.
+include::../../../shared_content/secrets/impact/malware_distribution.adoc[]
 
 
 == How to fix it

shared_content/secrets/impact/malware_distribution.adoc

@@ -0,0 +1,6 @@
+==== Malware distribution
+
+In addition, malware can be stored and distributed, both to users of the
+service and other potential targets. +
+It is important to note that this leak can lead to full system compromises in
+the worst-case scenario.

shared_content/secrets/impact/personal_data_compromise.adoc

@@ -0,0 +1,14 @@
+==== Compromise of sensitive personal data
+
+This kind of service is often used to exchange information that could include
+personal information, chat logs, and other private data that users have shared
+on the platform. This is called
+https://gdpr.eu/eu-gdpr-personal-data/[`Personally Identifiable Information`]. +
+The leaked app key could provide a gateway for unauthorized individuals to
+access and misuse this data, compromising the privacy and safety of the
+application users.
+
+In many industries and locations, there are legal and compliance requirements
+to protect sensitive data. If this kind of sensitive personal data gets leaked,
+companies face legal consequences, penalties, or violations of privacy laws.
+

shared_content/secrets/impact/phishing.adoc

@@ -0,0 +1,6 @@
+==== Phishing and spam
+
+An attacker can use this {secret_type} to spam users or lure them into links to
+a malicious domain controlled by the attacker. From here, an attacker can
+intercept the user’s credentials, bypass multi-factor authentication (MFA), and
+take over the user’s account on the trusted site.