Friday, October 23, 2009

UC Berkeley computer science professor and privacy expert, Doug Tygar, consulted about security flaws in CalJOBS website

When "CBS 5 Investigates" discovered a state-run website may be putting hundreds of thousands of Californians at risk of identity theft, they asked UC Berkeley Computer Science professor and privacy expert Doug Tygar to take a look at a problem experienced by laid off worker Tom Diederich.

Diederich had posted his resume on CalJOBS, the state's job site, as is required for getting unemployment benefits. However, when Diederich logged back in to the site the next day, he saw someone else's information, including their name, where they live, email and phone number. The next time, he got someone else's information and the following 5 or 6 times he logged in, he saw the same info about those other people.
Professor Tygar said, "I consider that to be a serious security breach." Moreover, Tygar was able to get into the site and look at other applicants' supposedly private data. "I was able to access other people's personal information including their address, their phone numbers, email, personal details," Tygar said. Just by changing a few numbers in the URL, he was able to go in and change information on peoples' resumes. "I would in fact have been able to go through and change that if I were a malicious attacker," he said.

The glitch that allowed Diederich to click on his bookmark and read other peoples' resumes appears to be fixed. EDD said their web site team is now following up on the other possible vulnerabilities identified by CBS 5 Investigates. They say if such vulnerabilities are found, they will correct them immediately.

See full story at CBS News.