By Dan Goodin in San Francisco
8th September 2009
Programming errors on a website that helps commuters carpool to work are
exposing sensitive information of workers for hundreds of employers in
Southern California, including at least one military installation.
The bugs, discovered last month on RideMatch.info, allow hackers access
to a variety of personal information, including individuals' names, home
addresses, phone numbers, the times they commute to and from work, and
in some cases employee numbers. The SQL injection vulnerability remained
active at time of writing, more than two weeks after it was reported to
a developer who runs the website.
"There's sensitive data there that definitely shouldn't be on the
internet," said Kristian Hermansen, a security researcher who identified
the vulnerability after receiving an email from his employer saying he
was required by law to provide the information. "The reason I am
bringing this to your attention is that the issue is not being fixed by
the admins and most companies don't even know that their employees'
personal and corporate information, like employee ID [number and] login
ID, may have been compromised."
The form Hermansen was required to complete asked for a wealth of
personal information, including his typical work hours, the times he
begins work on each workday, and his employee ID. "The state can impose
monetary penalties on companies that fail to complete this survey," an
email sent by Hermansen's employer warned.
Please Donate to the Ron Santo Walk to
Cure Diabetes with Ethan's Crew!