Sometimes the devil is in the details.
An incorrect setting could make the difference between your website being insecure, or wide open for hackers to steal massive amounts of personal data about the people using it.
Cisco has found itself in the uncomfortable position of admitting that the mobile version of its Professional Careers website at https://mjobs.cisco.com was leaking the personal details of job applicants.
Information exposed by the vulnerability included job seekers’ names, usernames, passwords, email addresses, phone numbers, answers to security questions, educational and professional details, cover letters and resumes and other personal details.
In the hands of a social engineering-savvy criminal, such data could be a goldmine – helping them to assume the identities of others to commit fraud.
In a security note (PDF) shared with the Office of the Attorney General, Cisco explains that it became aware of the security vulnerability after an unnamed researcher responsibly informed them of the privacy hole. Apparently, it was the fault of an incorrect security setting after system maintenance work was completed.
Unfortunately that configuration mistake left users’ data exposed between August and September 2015, and again from July to August 2016.
To have one security mess-up might be considered unfortunate, to make the same mistake again begins to look like carelessness…
Things are made even more serious by the fact that there is no mention from Cisco of encryption or hashing when it comes to the passwords, suggesting that if a criminal had managed to access the data – it should be child’s play to exploit it.
Cisco says that it has now resolved the issue, and has enforced a password reset for all users. Needless to say, if you do
use the Cisco Professional Careers website be sure that you are not reusing the same password anywhere else on the internet.
Fortunately, there is no evidence that a criminal has accessed the sensitive data – but Cisco has good reason for erring on the side of caution:
We do not believe that the information was accessed by anyone beyond the researcher who found and reported the issue. However, there was an instance of unexplained, anomalous connection to the server during that time, so we are taking precautionary steps.
Cisco has told users that they can put 90-day fraud alerts on their accounts if they wish.
Companies need to do a better job of taking the responsibility of securing the details of their users (and, indeed, potential job seekers) seriously or suffer the consequences. Ultimately, users will only have so much patience with big companies which really should be doing a much better job of ensuring that security holes don’t open up like this.