Vulnerability Report: Information Exposure in Oracle's iRecruitment

Authors:
  • Eric Goldman

27 Apr 2010   ::   Security   ::   #Oracle #Vulnerability Report

 

Release Date: 4/27/2010

CVE Identifier: Pending

The following information exposure vulnerability has been reported to Oracle. Oracle reports that the following vulnerability has been addressed by patches and upgrades via January 2010 CPU via CVE-2010-0075 and via April 2010 CPU via CVE-2010-0861.

Employee information exposure and reporting-relationships public exposure from Oracle’s iRecruitment software

Oracle’s iRecruitment software is a HR system used by many government agencies and large private corporations. The system can be used to manage hiring information as well as current employee records. Upon using one such company’s hiring system as an external applicant, I followed a hyperlink and was able to recover the entire company’s corporate hierarchy, which includes employees names, contact information (primarily business-centric, but some personal information such as cell phones). More importantly, the vulnerability shows departmental breakdowns and reporting relationships in the hierarchy. Depending upon the amount of information stored and where by a particular organization, this could result in violation of employee privacy protection laws such as those from the state of Massachusetts.

No firewall or other technological safeguard must be defeated to retrieve this information, making it publically accessible to anyone. Minor issues could result in angry customers or consumer groups targeting or harassing individuals, or information being obtained by spammers or direct marketers in ways that were not intended by the organization. More nefarious uses of this information could include identity theft, blackmail, and industrial espionage. Identity theft could occur by collecting an individual’s contact information and posing as that person for the purpose of social engineering or otherwise, since they would know organizational relationships and names of specific people within the organization. An attacker could also use the information for social engineering by convincing a subordinate that a supervisor authorized him to give away sensitive information. For the purposes of blackmail, a blackmailer could threaten to expose incriminating information to colleges or supervisors. In terms of industrial espionage, this information could be used to physically penetrate the organization. It is also possible to identify the most productive parts of a competitors business and to blackmail key individuals or to hire them away in order to hurt the competition while recruiting top performers.

The software is widespread, but specific usage and information varies from company to company. In my research, I did not test the exposure on any government websites because of the possibility of committing a federal crime. I was however able to see the exploit in action on a number of private organizations including a large department store and a large online travel website. It is a matter of a trivial “inurl:” Google search to test and locate those who are vulnerable and have sensitive information exposure. In addition, it does not seem that this system has been updated in over 4 years. The vulnerability may be a mis-configuration error or it may be a lack of control.

Take a domain or subdomain name where the software is hosted:

{domain.com}

then go to this page:

http://{domain.com}/OA_HTML/OA.jsp?page=/oracle/apps/per/selfservice/empdir/webui/SimpleSrchPG

Use HTTP not HTTPS to connect; in some cases HTTPS worked, in other you received a login when accessing via HTTPS. At this point, one would then go to the advanced search. Using another search on the internet or business resource, locate a top level executive. For example, select the president, CEO, etc. You can then see the entire downward reporting hierarchy for the company, even using a lower level individual, you can select the view full hierarchy link or traverse up the tree manually. You will also notice you are now in HTTPS. If you try to navigate directly to the full hierarchy URL you will receive an error in my testing, however, following these steps has worked on several sites. Note, that if the initial search fails, in the advanced search you are permitted to use a one character string (e.g., last name “b”) which may return results if specific names are not coming up, not all tested sites had a direct link for full hierarchy as well. Testing also indicates that some organizations only use the tool for external recruitment and not internal management. Upon looking at previous published information on vulnerabilities and exposures in iRecruitment, I did not see this specific attack vector.

It would also seem that most companies have not evaluated the security repercussions or are purposely making this information public, for example there is a link on the iRecruitment page for “Privacy Statement” which commonly points to: http://personalize.this.link/ .

Of other interest you can access diagnostic parameters, however, this was not tested because of the effect it may have on system functionality or reporting, and I did not want to disrupt any business activity.

While highly sensitive information such as credit cards may not be exposed, for some organizations such as governments it could be a very high security risk to allow external knowledge of individual employees is a way that could easily be collected.

I do not have admin access to the software, so I have no tried accessing other parts of the system, but I assume there would be other pieces of sensitive personal or corporate information that could be picked up. In my experience, other corporations use much more secure measures to protect their hierarchy and employee base data.

Vulnerable sites located via “inurl:irecruitment”; “inurl:OA.jsp?page”, etc