Feeds

Website exposes sensitive details on military personnel

Required by law

Reducing security risks from open source software

Programming errors on a website that helps commuters carpool to work are exposing sensitive information of workers for hundreds of employers in Southern California, including at least one military installation.

The bugs, discovered last month on RideMatch.info, allow hackers access to a variety of personal information, including individuals' names, home addresses, phone numbers, the times they commute to and from work, and in some cases employee numbers. The SQL injection vulnerability remained active at time of writing, more than two weeks after it was reported to a developer who runs the website.

"There's sensitive data there that definitely shouldn't be on the internet," said Kristian Hermansen, a security researcher who identified the vulnerability after receiving an email from his employer saying he was required by law to provide the information. "The reason I am bringing this to your attention is that the issue is not being fixed by the admins and most companies don't even know that their employees' personal and corporate information, like employee ID [number and] login ID, may have been compromised."

The form Hermansen was required to complete asked for a wealth of personal information, including his typical work hours, the times he begins work on each workday, and his employee ID. "The state can impose monetary penalties on companies that fail to complete this survey," an email sent by Hermansen's employer warned.

The website is a joint project developed by transit authorities in five regional governments in Southern California. Individuals enter their work and home addresses and the time they leave from each, and the website pairs them up with others with home and office locations and commute times that are suitable for carpools. Hermansen said virtually all of the data is accessible to anyone who knows how to exploit the vulnerability.

His tests revealed that at least one military institution was among the employers that used the website. The Register agreed to withhold the institution' identity because of the potential sensitivity of the matter.

A spokesman for the Riverside County Transportation Commission, one of the agencies responsible for the website, said administrators are working to fix the problem with the help of Trapeze Group, an Ontario, Canada-based company that designed the carpool software.

"We're confident we should have a fix for this in the next few days," the spokesman, John Standiford, said. "Trapeze being the provider of that software, they're trying to work with us and I guess others to come to a solution and fix the security problem."

Trapeze spokeswoman Kim Emmerson said on Tuesday that she was unaware of any security bugs in the software but promised the company would fix any that are brought to its attention.

"If there's a vulnerability, we would definitely investigate it and take care of it," she said.

The security lapse on RideMatch.info is only the latest reminder of the perils of SQL injection vulnerabilities. Three weeks ago, federal prosecutors revealed that hackers who stole more than 130 million payment card numbers were able to penetrate the network defenses of Heartland Payment Systems and four other companies after exploiting the garden-variety bug.

The flaw is the result of web applications that fail to adequately scrutinize user-generated text entered into search boxes and other fields on websites. Hackers can exploit them to pass commands directly to a website's backend database. Once identified, they can often be fixed in a matter of minutes, by changing a line or two of code.

The other agencies responsible for the site are: The Los Angeles County Metropolitan Transportation Authority, the Orange County Transportation Authority, the San Bernardino Associated Governments and the Ventura County Transportation Commission. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.