diff --git a/app/controllers/tutorials_controller.rb b/app/controllers/tutorials_controller.rb
index 1e1d1dd..7bc3459 100755
--- a/app/controllers/tutorials_controller.rb
+++ b/app/controllers/tutorials_controller.rb
@@ -56,4 +56,50 @@ class TutorialsController < ApplicationController
   def guard
   end
   
+  def info_disclosure
+    @bad_code_1 = 
+    %q{
+    <table class="table table-bordered table-striped">
+            <thead>
+              <tr>
+				<th style="width:16%">Full Name</th>
+                <th style="width:16%">Income</th>
+                <th style="width:16%">Bonuses</th>
+                <th style="width:16%">Years w/ MetaCorp</th>
+                <th style="width:16%">SSN</th>
+				<th style="width:16%">DoB</th>
+              </tr>
+            </thead>
+            <tbody>
+            
+			  <tr>
+                <td><%= "#{@user.first_name} #{@user.last_name}" %></td>
+                <td><%= @user.work_info.income %></td>
+                <td><%= @user.work_info.bonuses %></td>
+                <td><%= @user.work_info.years_worked %></td>
+				<td class="ssn"><%= @user.work_info.SSN %></td>
+				<td><%= @user.work_info.DoB %></td>
+              </tr>
+           
+            </tbody>
+          </table>
+      }
+    
+    @good_code_1 = %q{
+      class WorkInfo < ActiveRecord::Base
+        attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked
+        belongs_to :user
+
+        # We should probably use this
+        def last_four
+          "***-**-" << self.SSN[-4,4]
+        end
+
+      end
+    }  
+    
+  @bad_code_2 = %q{<td class="ssn"><%= @user.work_info.SSN %></td>}
+  @good_code_2 = %q{<td class="ssn"><%= @user.work_info.last_four %></td>}  
+  end
+  
 end
diff --git a/app/views/layouts/tutorial/_sidebar.html.erb b/app/views/layouts/tutorial/_sidebar.html.erb
index 1fc24ee..7aa9ae8 100755
--- a/app/views/layouts/tutorial/_sidebar.html.erb
+++ b/app/views/layouts/tutorial/_sidebar.html.erb
@@ -99,8 +99,11 @@
         <li id="guard">
          <%= link_to "Guard", guard_tutorials_path %>
         </li>
-        <li>
+        <li id="info_dislosure">
           <a href="#">Session Secret</a>
+        </li>
+		<li>
+          <%= link_to "Info Dislosure", info_disclosure_tutorials_path %>
         </li>
         <li>
           <a href="#">DB Sessions</a>
diff --git a/app/views/layouts/tutorial/info_disclosure/_ssn_disclosure.html.erb b/app/views/layouts/tutorial/info_disclosure/_ssn_disclosure.html.erb
new file mode 100644
index 0000000..76c7d12
--- /dev/null
+++ b/app/views/layouts/tutorial/info_disclosure/_ssn_disclosure.html.erb
@@ -0,0 +1,98 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> Information Disclosure (Sensitive)
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
+            <div class="accordion-inner">
+             <p class="desc">
+			  The application stores and returns full social security numbers. The clear-text storage of this value within the database falls under <%= link_to "Insecure Cryptographic Storage", crypto_tutorials_path, {:style => "color: rgb(181, 121, 158)"}%>. However, the other failure here is that the application returns this full SSN value within the response for the user's Work Info page. Although a portion of the SSN value is obfuscated using JavaScript (when rendered in the browser), any attacker who has positioned themselves to sniff this traffic or read the user's browser cache can extract the full value from the source. 
+			 </p>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
+            <div class="accordion-inner">
+               <p>
+				The bug is introduced within app/views/work_info/index.html.erb, seen on line 20:
+			   </p>
+			   <p>
+			   		<pre class="ruby">
+						<%= @bad_code_1 %>
+				 	</pre>
+				
+				The value, stored unencrypted, is called directly from the database. (line 20)
+			   </p>	
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
+            <div class="accordion-inner">
+			 <p>
+              A model method to return only the last four digits already exists. The following code was taken from the WorkInfo model - app/models/work_info.rb:
+			 </p>
+			 <p class="desc">
+				<pre class="ruby">
+					<%= @good_code_1%>
+			    </pre>
+			</p>
+			<p class="desc">		
+			  Essentially, this takes the SSN string from the DB, retrieves only the last four characters in the string, and concatenates the last four characters with asterisks. Because this occurs at the model level, the view page never calls the full SSN value and therefore the user's browser never receives the full SSN. The view code would need to change from...
+				<pre class="ruby">
+					<%= @bad_code_2 %>
+			    </pre>
+			    to...
+			    <pre class="ruby">
+					<%= @good_code_2 %>
+				</pre>
+			 </p>	
+			
+            </div>
+          </div>
+        </div>
+     	<div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseFour" style="height: 0px;">
+            <div class="accordion-inner">
+			 <p>
+              Inspect your work information closely
+ 			 </p>
+            </div>
+          </div>
+        </div> 
+	 </div>
+    </div>
+  </div>
\ No newline at end of file
diff --git a/app/views/tutorials/info_disclosure.html.erb b/app/views/tutorials/info_disclosure.html.erb
new file mode 100644
index 0000000..660fb97
--- /dev/null
+++ b/app/views/tutorials/info_disclosure.html.erb
@@ -0,0 +1,17 @@
+<div class="dashboard-wrapper">
+	<div class="main-container">
+		<div class="row-fluid">
+		    <div class="span12"> <!-- Begin Span12 -->
+		       <%= render :partial => "layouts/tutorial/info_disclosure/ssn_disclosure"%>
+		    </div> <!-- End Span12 -->
+		</div>
+	</div>
+</div>
+
+<script type="text/javascript">
+function makeActive(){
+	$('li[id="info_dislosure"]').addClass('active');
+};
+
+$(document).ready(makeActive);
+</script>
\ No newline at end of file
diff --git a/config/routes.rb b/config/routes.rb
index ac5950d..6a8217d 100755
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -39,6 +39,7 @@ resources :tutorials do
     get "ssl_tls"
     get "redirects"
     get "guard"
+    get "info_disclosure"
   end
 end