The employment service provider’s website allowed Google Images to remove end users’ driver’s licenses.
More than 200,000 job seeker documents were publicly available through an employment services provider’s APIs, a Sydney-based security and development services firm has found.
DVULN CEO Jamieson O’Reilly told CRN he discovered that more than 500,000 documents, including birth certificates, driver’s licenses and passports, were exposed through the same Insecure Direct vulnerability. Object Reference which hacker Optus claimed to exploit.
CRN is unable to confirm whether the supplier was part of Workforce Australia – the network of government-funded employment service providers – who have previously been exposed to breaching obligations under the Data Protection Act. privacy to stop collecting sensitive information upon request.
O’Reilly said he would not name the jobs website at this stage because it could make job seekers easier targets and the company “plans to release a statement” at a later date.
“I understand the importance of transparency. It was a tough decision not to name the company, but out of respect for the large number of people exposed, we wanted to give the company and Google time to clean this up before naming them.
One of the APIs allowed Google Images to retrieve profile photos uploaded by end users, including when using driver’s licenses. Other identification documents left behind by users, such as health insurance cards that can be exfiltrated via the same enumeration attack the Optus hacker claimed to be using.
“I don’t know if they notified their own end users. I have a test account and haven’t seen an email notification like this yet, so my gut tells me it’s not yet,” O’Reilly said.
The job provider patched the APIs and notified the Australian Cyber Security Center when alerted to the vulnerabilities.
A spokesperson for privacy organization Digital Rights Watch told CRN, “This looks like another example of companies not taking security as seriously as they should. job applications or hiring, people have no choice but to use the platform provided by them and when these services cut corners on security, it is ordinary people who pay the price.”
“We need real Privacy Act reform that minimizes the data companies are allowed to collect and increases penalties for privacy breaches.”
O’Reilly said he hopes the outcome of the Optus hack will be that customers allow their security vendors a broader scope to harden vulnerabilities across their entire attack surface.
“If the government increases penalties for breaches in response to the Optus hack, it could mean organizations have to pay higher costs for an attack. It could mean organizations are listening more to their security vendors to prevent an attack. . »
“For example, sometimes a security vendor will alert an organization to a vulnerability and say things like ‘this is a development server, I don’t need to secure it because it’s less likely to contain customer data than ‘a production server’. However, not securing a development server can also have consequences; it could be used to pivot to the production server for example.
DVULN provides security services, including penetration testing and red teams, to governments and enterprises.
O’Reilly said DVULN had also expanded into development, which now accounted for “about 30% of the business”.
The company develops products that support organizations against third-party software attacks, and products that O’Reilly believes will defend against vulnerabilities that may emerge in the future as a result of quantum computing.