Security

SAP E-Recruiting bug could let you stop rivals poaching your people

This might be the rare case of a bug you don't want patched

By Richard Chirgwin

1 SHARE

SAP admins, there's an email system bug that could give your HR department headaches, by blocking peoples from registering their email with its E-Recruiting system.

The problem is that a registration URL provided to job-seekers is predictable, meaning an attacker could put other peoples' emails into the system and guess the “email confirmation” link. It could be blocked by adding a pre-registration nonce to the confirmation link, but that wasn't done in release versions 605, 606, 616 or 617.

As described by SEC Consult here, when someone registers with SAP's E-Recruiting solution, they get a confirmation e-mail containing an incremental (and therefore predictable) object called candidate_hrobject.

For an attacker, then, the process would be:

  • Register with an email address they can access, and receive the confirmation link;
  • Immediately register with a “victim's” email address, and guess the candidate_hrobject value to obtain the confirmation URL (multiple guesses may be needed).

The SEC Consult post notes that some business processes assume people can be contacted by email.

There's an unexpected upside to this bug: imagine you see a rival advertising a job that some of your people would fit. With minimal effort you could pre-register your team's email addresses - including personal addresses if you know them - and because those addresses can only be used once in SAP's application, effectively prevent your people from applying for that job! Unless of course they whip up a new address ...

The advisory says SAP has addressed the issue in SAP Security Note 2507798. ®

Sign up to our NewsletterGet IT in your inbox daily

1 Comment

More from The Register

SAP 404s sap.com blog post that said it's fallen behind on SaaS subs

Partner-penned post said SAP might be as good as Google or IBM ... one day

SAP's Business Client can own entire apps, DDOS them into dust

And that's the worst of ten patches awaiting lucky, lucky SAP admins

Researchers slap SAP CRM with vuln combo for massive damage

Directory traversal + log injection = I can see your privates

SAP okays Java EE being Eclipsed, six months after Oracle's announcement

But warns it will bail if something better comes along

Teradata lobs sueball at SAP, alleges HANA based on its 'trade secrets'

Claims German biz used ERP to 'lure' them into joint venture

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

SAP cleans up more than a dozen troubling CRM security blunders

19 vulnerabilities squished this month – get patching

SAP made a mistake on its own blog - mobile platform to survive

UPDATE Cloud-herding plan still in force

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

SAP Anywhere is gonna be absolutely nowhere: We're 'sunsetting' this service, biz tells punters

Exclusive Updated Have a refund... if you agree not to sue