Website exposes sensitive details on military personnel
Required by law
Programming errors on a website that helps commuters carpool to work are exposing sensitive information of workers for hundreds of employers in Southern California, including at least one military installation.
The bugs, discovered last month on RideMatch.info, allow hackers access to a variety of personal information, including individuals' names, home addresses, phone numbers, the times they commute to and from work, and in some cases employee numbers. The SQL injection vulnerability remained active at time of writing, more than two weeks after it was reported to a developer who runs the website.
"There's sensitive data there that definitely shouldn't be on the internet," said Kristian Hermansen, a security researcher who identified the vulnerability after receiving an email from his employer saying he was required by law to provide the information. "The reason I am bringing this to your attention is that the issue is not being fixed by the admins and most companies don't even know that their employees' personal and corporate information, like employee ID [number and] login ID, may have been compromised."
The form Hermansen was required to complete asked for a wealth of personal information, including his typical work hours, the times he begins work on each workday, and his employee ID. "The state can impose monetary penalties on companies that fail to complete this survey," an email sent by Hermansen's employer warned.
The website is a joint project developed by transit authorities in five regional governments in Southern California. Individuals enter their work and home addresses and the time they leave from each, and the website pairs them up with others with home and office locations and commute times that are suitable for carpools. Hermansen said virtually all of the data is accessible to anyone who knows how to exploit the vulnerability.
His tests revealed that at least one military institution was among the employers that used the website. The Register agreed to withhold the institution' identity because of the potential sensitivity of the matter.
A spokesman for the Riverside County Transportation Commission, one of the agencies responsible for the website, said administrators are working to fix the problem with the help of Trapeze Group, an Ontario, Canada-based company that designed the carpool software.
"We're confident we should have a fix for this in the next few days," the spokesman, John Standiford, said. "Trapeze being the provider of that software, they're trying to work with us and I guess others to come to a solution and fix the security problem."
Trapeze spokeswoman Kim Emmerson said on Tuesday that she was unaware of any security bugs in the software but promised the company would fix any that are brought to its attention.
"If there's a vulnerability, we would definitely investigate it and take care of it," she said.
The security lapse on RideMatch.info is only the latest reminder of the perils of SQL injection vulnerabilities. Three weeks ago, federal prosecutors revealed that hackers who stole more than 130 million payment card numbers were able to penetrate the network defenses of Heartland Payment Systems and four other companies after exploiting the garden-variety bug.
The flaw is the result of web applications that fail to adequately scrutinize user-generated text entered into search boxes and other fields on websites. Hackers can exploit them to pass commands directly to a website's backend database. Once identified, they can often be fixed in a matter of minutes, by changing a line or two of code.
The other agencies responsible for the site are: The Los Angeles County Metropolitan Transportation Authority, the Orange County Transportation Authority, the San Bernardino Associated Governments and the Ventura County Transportation Commission. ®
That's why I suggested that Bobby might want to join a carpool... there's no law against putting your legal name into that database, is there?
Anyway, as I was pointing out the futility of the Reg leaving out the military institution's name when it could be found from the flawed site, it is probably reasonable to assume that anyone wanting to use the information for nefarious purposes might be unconcerned about breaking the law.
What's an Ideot?
Ive seen this time and time again in my day job part of which is security signing rubbish like this off, and 9/10ths of the time you follow the trail back to who wrote it and its some offshored programming team completely ignoring security design principles. They deliver exactly what their wooly wrote by managements contract dictates, a working gui with no sanitisation of input or anything.
Queue trapeze group stating "we are not aware of any such problems in our software" in the PR statement. Of course theyre not, they wont have actually have it tested and risk generating more non chargeable cost for theimselves will they???
Whats worrying is that people are being mandated to put their information into closed bespoke written systems like this, which have not been evaluated for fit for purpose by people with a clue.
Thus exposing those of us who care about privacy against our wishes to risk caused by their crappy designs.
Allan George Dyer
Ye. If you want to brake the law to find out that infomation. Ideot.