SAP E-Recruiting bug could let you stop rivals poaching your people
This might be the rare case of a bug you don't want patched
SAP admins, there's an e-mail system bug that could give your HR department headaches, by blocking peoples from registering their e-mail with its E-Recruiting system.
The problem is that a registration URL provided to job-seekers is predictable, meaning an attacker could put other peoples' e-mails into the system and guess the “e-mail confirmation” link. It could be blocked by adding a pre-registration nonce to the confirmation link, but that wasn't done in release versions 605, 606, 616 or 617.
As described by SEC Consult here, when someone registers with SAP's E-Recruiting solution, they get a confirmation e-mail containing an incremental (and therefore predictable) object called
For an attacker, then, the process would be:
- Register with an e-mail address they can access, and receive the confirmation link;
- Immediately register with a “victim's” e-mail address, and guess the
candidate_hrobjectvalue to obtain the confirmation URL (multiple guesses may be needed).
The SEC Consult post notes that some business processes assume people can be contacted by e-mail.
There's an unexpected upside to this bug: imagine you see a rival advertising a job that some of your people would fit. With minimal effort you could pre-register your team's e-mail addresses - including personal addresses if you know them - and because those addresses can only be used once in SAP's application, effectively prevent your people from applying for that job! Unless of course they whip up a new address ...
The advisory says SAP has addressed the issue in SAP Security Note 2507798. ®