This is Data Insecurity, a blog series about all the ways organizations fail to keep data secure online.
I recently applied to a job at a nonprofit through a third-party hiring platform. After submitting my application, the platform sent a link where I could check my application status and view the materials I had included in the application. After not hearing from the organization for a few weeks, I went to the link to view my status. While on the hiring platform, I wanted to see how secure the website was with application information. The vendor references data security and privacy on their website; they explicitly call out the need to protect the applicant contact details and other information so I wanted to see how they lived up to this expectation.
The applicant link that they sent me was secure; the link included a long string of random numbers and letters that would thwart most brute force hacking attempts. However, once I go to the link, I noticed the system appears to assign a sequential number to each uploaded document. My resume was given the ID number “6409647” and could be accessed at the URL: https://URL/Attachments/6409647 while my cover letter was given the ID number “6403458” and was available at https://URL/Attachments/6403458.
Using a sequential numbering system is not a strong security measure because once the pattern or sequence is figured out, it is very easy to iterate through all possible combinations to discover data that should not be easily accessible. A sequential numbering system can be secure if there are additional security measures in place to prevent unauthorized users from accessing the pages or documents. In this situation, I was able to access the URLs for each document in Google Incognito without any additional changes; this indicates that the documents are fully open to the world on the public internet.
After I figured this out, I wrote a simple Python script to iterate through a list of numbers that were close to the numbers used in my application documents. While not every number had an associated document, did uncover over 60 documents for other applicants. I could download their full CVs and any
So how serious is this issue? Generally speaking, there shouldn’t be any sensitive information in a cover letter or resume; people often only include their contact information, sometimes a mailing address. However, if an organization operating in sensitive industries (security, defense, etc.) use the platform, then gaining access to applicant information could become a means for malicious actors to target potential employees.
Who else might be affected?
While I have withheld the URL in the links above, the hiring platform uses a standard subdomain naming convention for each customer. If I was applying for a job at ABC Corp, the URL might be “https://abc-corp.hiring-platform.com”. There is no easy way to get a list of all the subdomains (thus all their customers) but there are some free tools that scan the internet to find various subdomains for a given website. I used seranking which provided me a list of ten subdomains for the job platform for free. I combined these subdomains with the sequential numbering systems to detect hundreds applicant documents for other employers.
How could they secure this information?
The primary way to prevent a malicious actor from collecting these documents would be to change from a sequential numbering system for documents to a random identifier. They are already using a random identifier for the applicant landing page, so they clearly have the means to use random identifiers.
Additionally, they could add a rate-limiting mechanism to their website to prevent servers from sending hundreds or thousands of requests for documents on their servers. I was able to iterate through tens of thousands of URLs at dozens of requests per minute to attempt to detect documents and at no point did the hiring platform servers block my IP address.