SAP E-Recruiting bug could let you stop rivals poaching your people

This might be the rare case of a bug you don't want patched

SAP admins, there's an email system bug that could give your HR department headaches, by blocking peoples from registering their email with its E-Recruiting system.

The problem is that a registration URL provided to job-seekers is predictable, meaning an attacker could put other peoples' emails into the system and guess the “email confirmation” link. It could be blocked by adding a pre-registration nonce to the confirmation link, but that wasn't done in release versions 605, 606, 616 or 617.

As described by SEC Consult here, when someone registers with SAP's E-Recruiting solution, they get a confirmation e-mail containing an incremental (and therefore predictable) object called candidate_hrobject.

For an attacker, then, the process would be:

  • Register with an email address they can access, and receive the confirmation link;
  • Immediately register with a “victim's” email address, and guess the candidate_hrobject value to obtain the confirmation URL (multiple guesses may be needed).

The SEC Consult post notes that some business processes assume people can be contacted by email.

There's an unexpected upside to this bug: imagine you see a rival advertising a job that some of your people would fit. With minimal effort you could pre-register your team's email addresses - including personal addresses if you know them - and because those addresses can only be used once in SAP's application, effectively prevent your people from applying for that job! Unless of course they whip up a new address ...

The advisory says SAP has addressed the issue in SAP Security Note 2507798. ®




Biting the hand that feeds IT © 1998–2018