The target: Job alert system
Part of:TalentBrew
Made by:TMP Worldwide
Amitay Dan (popshark1)
Looking for a job can take you into very interesting places.
That's how I found this security flaw in TMP Worldwide.
If you looking only for technical report, I'll make it simple for you.
Instead of typing password,attacker had abilities to insert the email of his victim.
http://ebay.tmpseoqa.com/SubscribeJobs.aspx?email=ineedadollar@sharklasers.com
My POC included the business analyzing, so you can jump into he end of the video.
I've added pictures as well.
Affected companies:
HP (1 and 2)
Walmart
Officedepot
eBay inc (1 and 2)
Scotiabank
There are more,but I can't get this information.
Affected potential workers over the world,unknown.
If you looking only for technical report, I'll make it simple for you.
Instead of typing password,attacker had abilities to insert the email of his victim.
http://ebay.tmpseoqa.com/SubscribeJobs.aspx?email=ineedadollar@sharklasers.com
My POC included the business analyzing, so you can jump into he end of the video.
I've added pictures as well.
Affected companies:
HP (1 and 2)
Walmart
Officedepot
eBay inc (1 and 2)
Scotiabank
There are more,but I can't get this information.
Affected potential workers over the world,unknown.
Attack scenario:
1.Attacker can brute force the password.
2.Attacker can cross the password by typing
http://jobs.ebaycareers.com/SubscribeJobs.aspx?email={user-email}
3.After checking more carefully there is another way to cross check point by typing
http://ebay.tmpseoqa.com/SubscribeJobs.aspx?email={user-email}
4.Attacker can Unsubscribe users via:
http://jobs.***.com/unsubscribe?email={user-email}
POC:
http://ebay.tmpseoqa.com/SubscribeJobs.aspx?email=ineedadollar@sharklasers.com
http://jobs.ebaycareers.com/SubscribeJobs.aspx?email=ineedadollar@sharklasers.com
After sock:
Attacker can check, where is the current location/wanted location of potential worker.
Attacker can send emails with offer to work under your company name.
Workers can be fired from jobs if the current employer find that's they want to change a job. (BI)
TMP Worldwide, didn't handle so well. they even told me to contact theirs client,instead of taking the problem into the hand.
eBay answer me,but didn't gave me new update for up then 45 days.
Since the major problem has been fixed, I'm publishing my finding.
Those problem never fixed.
The problem which has been fixed,is the ability to hack into the recruits alert system,when you know the target's email.
Attack scenario:
Using the email of the target, and by having the database of eBay's workers, the HR office can check if someone added him self into HP recruits website,this gave the attacker ability to know what are the planes or wanted jobs of his workers.
Example:
http://ebay.tmpseoqa.com/SubscribeJobs.aspx?email={user-email}
http://jobs.mcafee.com/unsubscribe?email={user-email}
Which companies got effected by the information disclosure vulnerability?
I have only small list, but I'm sure there are many others.
eBay inc.
HP and here
Walmart
Office Depot
Scotibank
We can just imagine how many workers, are using Job alert system every year.
Potential workers should get better security.
After sock:
Attacker can know now now where is the current location/wanted location of potential worker.
Attacker can send emails with offer to work under your company name.
Workers can be fired from his jobs, if the current employer find out who want to change a job. (BI)
In here you can see how I've spotted the SQL vulnerability VIA Google:
To add more data, I've added this who.is proof to show the conncetion into TMP Worldwide.
If you really want to see the video, here is the POC related to eBay inc.
And HP
1.Attacker can brute force the password.
2.Attacker can cross the password by typing
http://jobs.ebaycareers.com/SubscribeJobs.aspx?email={user-email}
3.After checking more carefully there is another way to cross check point by typing
http://ebay.tmpseoqa.com/SubscribeJobs.aspx?email={user-email}
4.Attacker can Unsubscribe users via:
http://jobs.***.com/unsubscribe?email={user-email}
POC:
http://ebay.tmpseoqa.com/SubscribeJobs.aspx?email=ineedadollar@sharklasers.com
http://jobs.ebaycareers.com/SubscribeJobs.aspx?email=ineedadollar@sharklasers.com
After sock:
Attacker can check, where is the current location/wanted location of potential worker.
Attacker can send emails with offer to work under your company name.
Workers can be fired from jobs if the current employer find that's they want to change a job. (BI)
TMP Worldwide, didn't handle so well. they even told me to contact theirs client,instead of taking the problem into the hand.
eBay answer me,but didn't gave me new update for up then 45 days.
Since the major problem has been fixed, I'm publishing my finding.
פרצת אבטחה שאיתרתי בסוכן המשרות החכם של חברת TMP Worldwide פגעה בין היתר בחברות:
HP
Walmart
Officedepot
eBay inc
HP
Walmart
Officedepot
eBay inc
Scotiabank
כל המועמדים לעבודה בחברות אלו,אשר השתמשו במערכת שוכן המשרות החכם (Job Alert) היו חשופים לפגיעה.
רמת הפגיעה: נמוכה עד בינונית
היקף:רחב
היקף:רחב
Many
of you are trying to get a job, In my recent journey to get one, I've
found this security flaw in TMP Worldwide (Telephone Marketing
Programs).
I really wanted a job,nothing more nothing less.
TMP got the warning first, I was trying phone call (i was ugly) as well as email exchange which started fine but then they disappeared.
SInce I was told by TMP representative to speak with the company where the problem appears, I was emailing eBay related to the issue.
eBay answer was
TMP got the warning first, I was trying phone call (i was ugly) as well as email exchange which started fine but then they disappeared.
SInce I was told by TMP representative to speak with the company where the problem appears, I was emailing eBay related to the issue.
eBay answer was
In
generally,they are independent recruitment advertising agency, The
product which had a problem was theirs Job Alerts system, which is part
of the TalentBrew
Source: TMP Worldwide
"Job Alerts
Stay
connected with your candidates through e-mail sign-up and RSS feeds.
Job Alerts give job seekers the ability to receive customized updates on
job listings they are interested in."
After understanding who are TMP, let's try to understand more about the impact of the problem.
In the Talent service they gives, potential recruits got an offer to add his email,as well as the favourite countries/jobs. by then, the job alert system start to work,and the potential recruits get update for any new job listed in the website.
As a SAAS (Software as a service) product,and with great integration into verity of clients, TMP Worldwide got awards and made later on cooperation with major players over the world,such as Oracle which acquired Taleo Corporation (NASDAQ:TLEO) back in 2012.
The Impact is really clear, Taleo and TalentBrew in many recruits website, coming hand by hands, Teleo for the job offer, and TalentBrew to do many things behind the scene,like Job Alerts.
Since TMP Worldwide have verity of clients, in many cases they handle the whole recruits website,not only the TalentBrew integration.
In the Talent service they gives, potential recruits got an offer to add his email,as well as the favourite countries/jobs. by then, the job alert system start to work,and the potential recruits get update for any new job listed in the website.
As a SAAS (Software as a service) product,and with great integration into verity of clients, TMP Worldwide got awards and made later on cooperation with major players over the world,such as Oracle which acquired Taleo Corporation (NASDAQ:TLEO) back in 2012.
The Impact is really clear, Taleo and TalentBrew in many recruits website, coming hand by hands, Teleo for the job offer, and TalentBrew to do many things behind the scene,like Job Alerts.
Since TMP Worldwide have verity of clients, in many cases they handle the whole recruits website,not only the TalentBrew integration.
To make things clear, the problem appears in TMP, Oracle is another way to sell the SAAS services of TMP.
Now to the problems:
Architecture - didn't fixed:
Basic system problem:
1.Password contain only six digits,number only which can be hacked very easy by brute force.
2.The channel is not secure with SSL
3.The emails came from tmp.com which is not eBay/PayPal or any of your group.
Now to the problems:
Architecture - didn't fixed:
Basic system problem:
1.Password contain only six digits,number only which can be hacked very easy by brute force.
2.The channel is not secure with SSL
3.The emails came from tmp.com which is not eBay/PayPal or any of your group.
Attack scenario:
Attacker can brute force the password
Those problem never fixed.
The problem which has been fixed,is the ability to hack into the recruits alert system,when you know the target's email.
Attack scenario:
Using the email of the target, and by having the database of eBay's workers, the HR office can check if someone added him self into HP recruits website,this gave the attacker ability to know what are the planes or wanted jobs of his workers.
By the way, remember this? "Apple, Google, Intel, Adobe to pay $325 million to settle hiring lawsuit" ..
Example:
http://ebay.tmpseoqa.com/SubscribeJobs.aspx?email={user-email}
http://jobs.mcafee.com/unsubscribe?email={user-email}
Which companies got effected by the information disclosure vulnerability?
I have only small list, but I'm sure there are many others.
eBay inc.
HP and here
Walmart
Office Depot
Scotibank
We can just imagine how many workers, are using Job alert system every year.
Potential workers should get better security.
After sock:
Attacker can know now now where is the current location/wanted location of potential worker.
Attacker can send emails with offer to work under your company name.
Workers can be fired from his jobs, if the current employer find out who want to change a job. (BI)
HP
eBay inc
Wallmart
OfficeDepot
Scotibank
In here you can see how I've spotted the SQL vulnerability VIA Google:
To add more data, I've added this who.is proof to show the conncetion into TMP Worldwide.
If you really want to see the video, here is the POC related to eBay inc.
And HP
