More than 200,000 job seekers’ documents were publicly accessible through an employment service provider’s APIs, a Sydney-based security services and development company has discovered.
DVULN CEO Jamieson O'Reilly told CRN that he found more than 500,000 documents, including birth certificates, driver’s licences and passports, were exposed through the same Insecure Direct Object Reference vulnerability the Optus hacker claimed to exploit.
CRN is unable to confirm if the provider was part of Workforce Australia — the network of government-funded employment service providers— who have previously been exposed breaking obligations under the Privacy Act to cease collecting sensitive information when requested.
O'Reilly said he would not name the employment website at this stage because it could make the job seekers easier targets and the company “plans to release a statement” at a later date.
“I understand the importance of transparency. This was a hard decision not to name the company, but out of respect for the large number of people exposed, we wanted to give the company and Google time to clean this up before we named them.”
One of the APIs allowed Google Images to scrape profile photos that the end-users uploaded, including when they used driver's licences. The other left identification documents that users submitted, such as Medicare cards able to be exfiltrated through the same enumeration attack the Optus hacker claimed to use.
“I’m not aware if they have informed their own end-users. I do have a test account and I’m yet to see any email notification of this kind so my gut feeling says not yet,” O'Reilly said.
The employment provider fixed the APIs and informed the Australian Cyber Security Centre when alerted of the vulnerabilities.
A spokesperson for the privacy advocacy organisation Digital Rights Watch told CRN, "this looks like another example of companies not taking security as seriously as they need to. In the case of job or rental applications, people have no choice but to use the platform provided by them and when these services cut corners on security it's regular people who pay the price."
"We need real reform to the Privacy Act that minimises the data companies are allowed to collect and increases the penalties for breaches of privacy."
O’Reilly said he hoped that an outcome of the Optus hack would be that clients would allow their security providers to have a broader scope to strengthen vulnerabilities in their entire attack surface.
“If the government increases penalties for breaches in response to the Optus hack that might mean organisations have to pay higher costs for an attack. This could mean organisations listen more to their security providers to prevent an attack.”
“For example, sometimes a security provider will alert an organisation to a vulnerability and they will say things like ‘this is a development server, I don’t need to secure it because it’s less likely to have customer data than a production server.’ However, there may be consequences of not securing a development server as well; it could be used to pivot to the production server for instance.”
DVULN provides security services including penetration testing and red teaming to both government and enterprise clients.
O’Reilly said DVULN had also extended into development, which now made up "about 30 percent of the business”.
The company is developing products that support organisations against attacks on third-party software, and products that O’Reilly said would defend against vulnerabilities that may emerge as a result of quantum computing in the future.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
