Security Flaws Discovered In Calif. EDD Website

Anna Werner reports:

For laid off workers such as Tom Diederich of Pacifica, it’s a requirement: To get unemployment benefits you have to post your resume on CalJOBS, the state’s job site. “I filled out my employment history and I saved it,” said Diederich, who bookmarked it for future reference.

But the next day when he clicked back in he said, “I saw someone else’s information. I saw their name, where they live, their email, their phone number. I was shocked, really.

And the next time, again? “I got a different person’s information,” said Diederich. “There was probably about 5 or 6 different times that I have seen it. It was more frightening because I said ‘Who’s seeing my information?'”

[…]

CBS 5 asked UC Berkeley computer science professor and privacy expert, Doug Tygar to take a look at Diederich’s problem. He said, “I consider that to be a serious security breach.”

But it turns out, not the only one. Because just moments after beginning his examination of that website, using Diederich’s web link, Tygar was able to get into the site, and look at other applicants’ supposedly private data. “I was able to access other people’s personal information including their address, their phone numbers, email, personal details,” Tygar said.

All by just changing a few numbers in the URL. In fact, Tygar even found he was able to go in and change information on peoples’ resumes. “I would in fact have been able to go through and change that if i were a malicious attacker,” he said.

Read the full story on CBS.

About the author: Dissent

Comments are closed.