http://www.theregister.co.uk/2009/09/08/ridematch_website_vulnerability/ By Dan Goodin in San Francisco The Register 8th September 2009 Programming errors on a website that helps commuters carpool to work are exposing sensitive information of workers for hundreds of employers in Southern California, including at least one military installation. The bugs, discovered last month on RideMatch.info, allow hackers access to a variety of personal information, including individuals' names, home addresses, phone numbers, the times they commute to and from work, and in some cases employee numbers. The SQL injection vulnerability remained active at time of writing, more than two weeks after it was reported to a developer who runs the website. "There's sensitive data there that definitely shouldn't be on the internet," said Kristian Hermansen, a security researcher who identified the vulnerability after receiving an email from his employer saying he was required by law to provide the information. "The reason I am bringing this to your attention is that the issue is not being fixed by the admins and most companies don't even know that their employees' personal and corporate information, like employee ID [number and] login ID, may have been compromised." The form Hermansen was required to complete asked for a wealth of personal information, including his typical work hours, the times he begins work on each workday, and his employee ID. "The state can impose monetary penalties on companies that fail to complete this survey," an email sent by Hermansen's employer warned. [...] ________________________________________ Please Donate to the Ron Santo Walk to Cure Diabetes with Ethan's Crew! http://www.c4i.org/ethan.htmlReceived on Tue Sep 08 2009 - 22:13:46 PDT
This archive was generated by hypermail 2.2.0 : Tue Sep 08 2009 - 22:17:17 PDT