Security

SAP E-Recruiting bug could let you stop rivals poaching your people

This might be the rare case of a bug you don't want patched

By Richard Chirgwin

1 SHARE

SAP admins, there's an email system bug that could give your HR department headaches, by blocking peoples from registering their email with its E-Recruiting system.

The problem is that a registration URL provided to job-seekers is predictable, meaning an attacker could put other peoples' emails into the system and guess the “email confirmation” link. It could be blocked by adding a pre-registration nonce to the confirmation link, but that wasn't done in release versions 605, 606, 616 or 617.

As described by SEC Consult here, when someone registers with SAP's E-Recruiting solution, they get a confirmation e-mail containing an incremental (and therefore predictable) object called candidate_hrobject.

For an attacker, then, the process would be:

  • Register with an email address they can access, and receive the confirmation link;
  • Immediately register with a “victim's” email address, and guess the candidate_hrobject value to obtain the confirmation URL (multiple guesses may be needed).

The SEC Consult post notes that some business processes assume people can be contacted by email.

There's an unexpected upside to this bug: imagine you see a rival advertising a job that some of your people would fit. With minimal effort you could pre-register your team's email addresses - including personal addresses if you know them - and because those addresses can only be used once in SAP's application, effectively prevent your people from applying for that job! Unless of course they whip up a new address ...

The advisory says SAP has addressed the issue in SAP Security Note 2507798. ®

Sign up to our NewsletterGet IT in your inbox daily

1 Comment

More from The Register

SAP 404s sap.com blog post that said it's fallen behind on SaaS subs

Partner-penned post said SAP might be as good as Google or IBM ... one day

SAP's Business Client can own entire apps, DDOS them into dust

And that's the worst of ten patches awaiting lucky, lucky SAP admins

What's in the container, Cisco? A nice, plump SAP Data Hub

One Kubernetes to rule them all

SAP faces further South African corruption probe

Reports of $2m kickback for deal with water ministry

SAP slaps down Teradata's 'trade secret' sueball with sick burn

ERP giant: You're just mad because you've 'fallen behind'

Screwed SAP salesman scores $660,000 jury award

Steven Serabian beats software company soundly

AWS elbows Google Cloud aside in fight for SAP HANA customers

My box is bigger than your box

Researchers slap SAP CRM with vuln combo for massive damage

Directory traversal + log injection = I can see your privates

Big Baboon ain't gibbon up: SAP, HP accused of aping software squirt's e-commerce patent

Judge denies giants' motion to dismiss amended case

SAP okays Java EE being Eclipsed, six months after Oracle's announcement

But warns it will bail if something better comes along