Tuesday, October 27, 2009

Security Flaws Discovered In Calif. EDD Website

Via cbs5.com -

It's one of the most serious security breaches one computer expert has ever seen. CBS 5 Investigates has discovered a state-run web site may be putting hundreds of thousands of Californians at risk of identity theft.

It started off with a tip from a viewer, a local job seeker who noticed a computer glitch. Once CBS 5 started looking closer at the glitch, it was a gaping hole.

For laid off workers such as Tom Diederich of Pacifica, it's a requirement: To get unemployment benefits you have to post your resume on CalJOBS, the state's job site. "I filled out my employment history and I saved it," said Diederich, who bookmarked it for future reference.

But the next day when he clicked back in he said, "I saw someone else's information. I saw their name, where they live, their email, their phone number. I was shocked, really.

And the next time, again? "I got a different person's information," said Diederich. "There was probably about 5 or 6 different times that I have seen it. It was more frightening because I said 'Who's seeing my information?'"

So how big of a problem is that? Expert Pam Dixon with the World Privacy Forum said, "That is not okay!" Because she said resumes are a gold mine for criminals.


BS 5 asked UC Berkeley computer science professor and privacy expert, Doug Tygar to take a look at Diederich's problem. He said, "I consider that to be a serious security breach."

But it turns out, not the only one. Because just moments after beginning his examination of that website, using Diederich's web link, Tygar was able to get into the site, and look at other applicants' supposedly private data. "I was able to access other people's personal information including their address, their phone numbers, email, personal details," Tygar said.

All by just changing a few numbers in the URL. In fact, Tygar even found he was able to go in and change information on peoples' resumes. "I would in fact have been able to go through and change that if i were a malicious attacker," he said.

Tygar said a hacker looking for identities to steal could have thousands of resumes at his disposal. "They are giving the information out to people who they shouldn't."

No comments:

Post a Comment