Feeds

Website exposes sensitive details on military personnel

Required by law

Build a business case: developing custom apps

Programming errors on a website that helps commuters carpool to work are exposing sensitive information of workers for hundreds of employers in Southern California, including at least one military installation.

The bugs, discovered last month on RideMatch.info, allow hackers access to a variety of personal information, including individuals' names, home addresses, phone numbers, the times they commute to and from work, and in some cases employee numbers. The SQL injection vulnerability remained active at time of writing, more than two weeks after it was reported to a developer who runs the website.

"There's sensitive data there that definitely shouldn't be on the internet," said Kristian Hermansen, a security researcher who identified the vulnerability after receiving an email from his employer saying he was required by law to provide the information. "The reason I am bringing this to your attention is that the issue is not being fixed by the admins and most companies don't even know that their employees' personal and corporate information, like employee ID [number and] login ID, may have been compromised."

The form Hermansen was required to complete asked for a wealth of personal information, including his typical work hours, the times he begins work on each workday, and his employee ID. "The state can impose monetary penalties on companies that fail to complete this survey," an email sent by Hermansen's employer warned.

The website is a joint project developed by transit authorities in five regional governments in Southern California. Individuals enter their work and home addresses and the time they leave from each, and the website pairs them up with others with home and office locations and commute times that are suitable for carpools. Hermansen said virtually all of the data is accessible to anyone who knows how to exploit the vulnerability.

His tests revealed that at least one military institution was among the employers that used the website. The Register agreed to withhold the institution' identity because of the potential sensitivity of the matter.

A spokesman for the Riverside County Transportation Commission, one of the agencies responsible for the website, said administrators are working to fix the problem with the help of Trapeze Group, an Ontario, Canada-based company that designed the carpool software.

"We're confident we should have a fix for this in the next few days," the spokesman, John Standiford, said. "Trapeze being the provider of that software, they're trying to work with us and I guess others to come to a solution and fix the security problem."

Trapeze spokeswoman Kim Emmerson said on Tuesday that she was unaware of any security bugs in the software but promised the company would fix any that are brought to its attention.

"If there's a vulnerability, we would definitely investigate it and take care of it," she said.

The security lapse on RideMatch.info is only the latest reminder of the perils of SQL injection vulnerabilities. Three weeks ago, federal prosecutors revealed that hackers who stole more than 130 million payment card numbers were able to penetrate the network defenses of Heartland Payment Systems and four other companies after exploiting the garden-variety bug.

The flaw is the result of web applications that fail to adequately scrutinize user-generated text entered into search boxes and other fields on websites. Hackers can exploit them to pass commands directly to a website's backend database. Once identified, they can often be fixed in a matter of minutes, by changing a line or two of code.

The other agencies responsible for the site are: The Los Angeles County Metropolitan Transportation Authority, the Orange County Transportation Authority, the San Bernardino Associated Governments and the Ventura County Transportation Commission. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?