Security

SAP E-Recruiting bug could let you stop rivals poaching your people

This might be the rare case of a bug you don't want patched

By Richard Chirgwin

1 SHARE

SAP admins, there's an email system bug that could give your HR department headaches, by blocking peoples from registering their email with its E-Recruiting system.

The problem is that a registration URL provided to job-seekers is predictable, meaning an attacker could put other peoples' emails into the system and guess the “email confirmation” link. It could be blocked by adding a pre-registration nonce to the confirmation link, but that wasn't done in release versions 605, 606, 616 or 617.

As described by SEC Consult here, when someone registers with SAP's E-Recruiting solution, they get a confirmation e-mail containing an incremental (and therefore predictable) object called candidate_hrobject.

For an attacker, then, the process would be:

  • Register with an email address they can access, and receive the confirmation link;
  • Immediately register with a “victim's” email address, and guess the candidate_hrobject value to obtain the confirmation URL (multiple guesses may be needed).

The SEC Consult post notes that some business processes assume people can be contacted by email.

There's an unexpected upside to this bug: imagine you see a rival advertising a job that some of your people would fit. With minimal effort you could pre-register your team's email addresses - including personal addresses if you know them - and because those addresses can only be used once in SAP's application, effectively prevent your people from applying for that job! Unless of course they whip up a new address ...

The advisory says SAP has addressed the issue in SAP Security Note 2507798. ®

Sign up to our NewsletterGet IT in your inbox daily

1 Comment

More from The Register

Make a SAP decision: Apply these security fixes if you're using German giant's software

11 patches ship on Patch Tuesday

App-happy SAP Santa offers partners free access to Cloud Platform

All the better to lock customers into its fluffy white services

SAP 404s sap.com blog post that said it's fallen behind on SaaS subs

Partner-penned post said SAP might be as good as Google or IBM ... one day

SAP's Business Client can own entire apps, DDOS them into dust

And that's the worst of ten patches awaiting lucky, lucky SAP admins

What's in the container, Cisco? A nice, plump SAP Data Hub

One Kubernetes to rule them all

SAP claims French robo minnow Contextor slurp will slash clicks needed in its ERP software

Automated mercy for those knobbly pointers

SAP faces further South African corruption probe

Reports of $2m kickback for deal with water ministry

SAP slaps down Teradata's 'trade secret' sueball with sick burn

ERP giant: You're just mad because you've 'fallen behind'

Screwed SAP salesman scores $660,000 jury award

Steven Serabian beats software company soundly

SAP can't thwack away Teradata's copyright infringement, antitrust sueball

But US firm must get specific on which trade secrets it claims were nicked – judge