Website exposes sensitive details on military personnel

Website exposes sensitive details on military personnel
Website exposes sensitive details on military personnel 

By Dan Goodin in San Francisco
The Register
8th September 2009 

Programming errors on a website that helps commuters carpool to work are 
exposing sensitive information of workers for hundreds of employers in 
Southern California, including at least one military installation.

The bugs, discovered last month on, allow hackers access 
to a variety of personal information, including individuals' names, home 
addresses, phone numbers, the times they commute to and from work, and 
in some cases employee numbers. The SQL injection vulnerability remained 
active at time of writing, more than two weeks after it was reported to 
a developer who runs the website.

"There's sensitive data there that definitely shouldn't be on the 
internet," said Kristian Hermansen, a security researcher who identified 
the vulnerability after receiving an email from his employer saying he 
was required by law to provide the information. "The reason I am 
bringing this to your attention is that the issue is not being fixed by 
the admins and most companies don't even know that their employees' 
personal and corporate information, like employee ID [number and] login 
ID, may have been compromised."

The form Hermansen was required to complete asked for a wealth of 
personal information, including his typical work hours, the times he 
begins work on each workday, and his employee ID. "The state can impose 
monetary penalties on companies that fail to complete this survey," an 
email sent by Hermansen's employer warned.


Please Donate to the Ron Santo Walk to 
Cure Diabetes with Ethan's Crew! 

Site design & layout copyright © 1986-2014 CodeGods