Saturday, November 29, 2014

information disclosure vulnerability in TalentBrew by TMP Worldwide, effected eBay HP Walmart Officedepot and many others companies


The target: Job alert system 
Part of:TalentBrew
Made by:TMP Worldwide

Amitay Dan (popshark1)


Looking for a job can take you into very interesting places.
That's how I found this security flaw in TMP Worldwide.

If you looking only for technical report, I'll make it simple for you.
Instead of typing password,attacker had abilities to insert the email of his victim.

http://ebay.tmpseoqa.com/SubscribeJobs.aspx?email=ineedadollar@sharklasers.com

My POC included the business analyzing, so you can jump into he end of the video.

I've added pictures as well.

  
Affected companies:

HP (1 and  2)
Walmart
Officedepot
eBay inc (1 and 2)
Scotiabank

There are more,but I can't get this information.
Affected potential workers over the world,unknown.

  
Attack  scenario:

1.Attacker can brute force the password.
2.Attacker can cross the password by typing

http://jobs.ebaycareers.com/SubscribeJobs.aspx?email={user-email}

3.After checking more carefully  there is another way to cross check point by typing
 
http://ebay.tmpseoqa.com/SubscribeJobs.aspx?email={user-email}

4.Attacker can Unsubscribe users via:

http://jobs.***.com/unsubscribe?email={user-email}


POC:

http://ebay.tmpseoqa.com/SubscribeJobs.aspx?email=ineedadollar@sharklasers.com
http://jobs.ebaycareers.com/SubscribeJobs.aspx?email=ineedadollar@sharklasers.com

After sock:

Attacker can check, where is the current location/wanted location of potential worker.
Attacker can send emails with offer to work under your company name.
Workers can be fired from jobs if the current employer find that's they want to change a job. (BI)

TMP Worldwide, didn't handle so well. they even told me to contact theirs client,instead of taking the problem into the hand.

eBay answer me,but didn't gave me new update for up then 45 days.
Since the major problem has been fixed, I'm publishing my finding.



פרצת אבטחה שאיתרתי בסוכן המשרות החכם של חברת TMP Worldwide פגעה בין היתר בחברות:
HP
Walmart
Officedepot
eBay inc 
Scotiabank

כל המועמדים לעבודה בחברות אלו,אשר השתמשו במערכת שוכן המשרות החכם (Job Alert) היו חשופים לפגיעה.
רמת הפגיעה: נמוכה עד בינונית
היקף:רחב

Many of you are trying to get a job, In my recent journey to get one, I've found this security flaw in TMP Worldwide (Telephone Marketing Programs).

I really wanted a job,nothing more nothing less.

TMP got the warning first, I was trying phone call (i was ugly) as well as email exchange which started fine but then they disappeared.

SInce I was told by TMP representative  to speak with the company where the problem appears, I was emailing eBay related to the issue.

eBay answer was

Into the point: you can read more about TMP Worldwide in theirs website or Wikipedia
 
In generally,they are independent recruitment advertising agency, The product which had a problem was theirs Job Alerts system, which is part of the TalentBrew 

"Job Alerts
Stay connected with your candidates through e-mail sign-up and RSS feeds. Job Alerts give job seekers the ability to receive customized updates on job listings they are interested in."









After understanding who are TMP, let's try to understand more about the impact of the problem.

In the Talent service they gives, potential recruits got an offer to add his email,as well as the favourite countries/jobs. by then, the job alert system start to work,and the potential recruits get update for any new job listed in the website.

As a SAAS (Software as a service) product,and with great integration into verity of clients, TMP Worldwide got awards and made later on cooperation with major players over the world,such as Oracle which acquired Taleo Corporation (NASDAQ:TLEO) back in 2012.

The Impact is really clear, Taleo and TalentBrew in many recruits website, coming hand by hands, Teleo for the job offer, and TalentBrew to do many things behind the scene,like Job Alerts.

Since TMP Worldwide have verity of clients, in many cases they handle the whole recruits website,not only the TalentBrew integration.





 

To make things clear, the problem appears in TMP, Oracle is another way to sell the SAAS services of TMP.


Now to the problems:

Architecture - didn't fixed:

Basic system problem:

1.Password contain only six digits,number only which can be hacked very easy by brute force.
2.The channel is not secure with SSL
3.The emails came from tmp.com which is not eBay/PayPal or any of your group.
Attack  scenario:
Attacker can brute force the password

Those problem never fixed.

The problem which has been fixed,is the ability to hack into the recruits alert system,when you know the target's email.

Attack  scenario:
Using the email of the target, and by having the database of eBay's workers, the HR office can check if someone added him self into HP recruits website,this gave the attacker ability to know what are the planes or wanted jobs of his workers.

By the way, remember this? "Apple, Google, Intel, Adobe to pay $325 million to settle hiring lawsuit" ..


Example:
http://ebay.tmpseoqa.com/SubscribeJobs.aspx?email={user-email}
http://jobs.mcafee.com/unsubscribe?email={user-email}


Which companies got effected by the information disclosure vulnerability?
I have only small list, but I'm sure there are many others.


eBay inc.
HP and here
Walmart
Office Depot
Scotibank 

We can just imagine how many workers, are using Job alert system every year.
Potential workers should get better security.  

After sock:

Attacker can know now now where is the current location/wanted location of potential worker.
Attacker can send emails with offer to work under your company name.
Workers can be fired from his jobs, if the current employer find out who want to change a job. (BI)



 HP


 eBay inc





 Wallmart





OfficeDepot






 Scotibank



 In here you can see how I've spotted the SQL vulnerability VIA Google:






 To add more data, I've added this who.is proof to show the conncetion into TMP Worldwide.



 If you really want to see the video, here is the POC related to eBay inc.



And HP



2 comments:

  1. I could not replicate your attack. I get redirected to their main page. Did they fix it?

    ReplyDelete
  2. Hi Anonymous, TMP Worldwide fixed the problem after I was reporting the problem...
    As I know currently the problem which they didn't fixed,is the missing of encryption, and weak password (only six digits).

    ReplyDelete