SAP E-Recruiting bug could let you stop rivals poaching your people

This might be the rare case of a bug you don't want patched

SAP admins, there's an e-mail system bug that could give your HR department headaches, by blocking peoples from registering their e-mail with its E-Recruiting system.

The problem is that a registration URL provided to job-seekers is predictable, meaning an attacker could put other peoples' e-mails into the system and guess the “e-mail confirmation” link. It could be blocked by adding a pre-registration nonce to the confirmation link, but that wasn't done in release versions 605, 606, 616 or 617.

As described by SEC Consult here, when someone registers with SAP's E-Recruiting solution, they get a confirmation e-mail containing an incremental (and therefore predictable) object called candidate_hrobject.

For an attacker, then, the process would be:

  • Register with an e-mail address they can access, and receive the confirmation link;
  • Immediately register with a “victim's” e-mail address, and guess the candidate_hrobject value to obtain the confirmation URL (multiple guesses may be needed).

The SEC Consult post notes that some business processes assume people can be contacted by e-mail.

There's an unexpected upside to this bug: imagine you see a rival advertising a job that some of your people would fit. With minimal effort you could pre-register your team's e-mail addresses - including personal addresses if you know them - and because those addresses can only be used once in SAP's application, effectively prevent your people from applying for that job! Unless of course they whip up a new address ...

The advisory says SAP has addressed the issue in SAP Security Note 2507798. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017