Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!
We have uncovered various security errors with the new RCSA http://www.web.rcsa.com.au
website within 5 minutes of playing with it. Originally set for release in Oct 2008, the question is now - when, if ever it is to be released? We reported on finding the test site back in Dec 2008 "Reminder to all... Do not put your test website online" http://www.recruitmentdirectory.com.au/Blog/reminder-to-all-do-not-put-your-test-website-online-a27.html
Unfortunately the RCSA has chosen to use Drupal CMS (Content Management System) to power their new website. Drupal is a widely used CMS, but prone to many security issues http://drupal.org/security
I hope the RCSA can keep up with the security patches, as I do not feel my own membership data is safe.
The RCSA's aim "is to increase the profile and professionalism of the sector" but its ability to do so has been impeded by the information security on its own website. This security failure has not gone unnoticed within the industry and needs to be fixed immediately before it becomes another laughing stock like recent issues with Monster and the NSW Government Job Board.
Principle 4 of the National Privacy Principles (part of the Privacy Act), required an organisation to: "take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure".
This is also echoed in the RCSA's own Code of Conduct, which says "take reasonable steps to maintain the confidentiality and privacy of candidate, client and member information".
The current issues add weight to my stance that the RCSA does not understand technology and how it is used within the online recruitment industry. It could use some advice from its own members and suppliers, who are professional experts in these areas. So what are these errors?
- The server directory listings were left turned on, which allowed anyone to browse files, as well as data on the server (much like using Windows Explorer to navigate through files) this was occurring between Dec 2008 - Jan 2009
- Drupal's config file that stores the sites FTP and Database details was left open and not CHMOD'd
- The RCSA site has a "bridge" module which integrates the CMS with its backend CRM (Customer Relationship Management) Database to allow members to sign up/in and change their own details on the database.
- This custom module was created by 3rd party developers for the RCSA and stupidly still contains the server FTP Username/Password as well as the RCSA's Database Username/Password
We have not used any penetration or hacking tools to access any files or data. All the information was freely available on their website.
The following publically available file shows the source code for the bridge module. Note: We have removed the usernames, passwords, and URLs needed to access information on the CMS and CRM. VIEW CODE FILE HEREWhat now?
The RCSA should be a leader for the industry on information security. It is an area where it should work with its members to prevent unauthorized access and help them protect themselves.
Article URL: http://www.recruitmentdirectory.com.au/Blog/rcsa-website-security-will-become-an-industry-nightmare-a98.html
Article Tags: Hide Comments (0)
- Immediately take down and remove the new site. Fix the security errors with the 3rd party developers
- Immediately investigate a professional grade CMS which will be more robust and secure.
- Immediately inform members about this issue and what data has been accessed, modified or deleted