Select Website 

Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!

Back to Menu Back to Menu

RCSA website security will become an industry nightmare

Posted By: Thomas Shaw, 3:48pm Thursday 05 February 2009    Print Article

We have uncovered various security errors with the new RCSA http://www.web.rcsa.com.au website within 5 minutes of playing with it. Originally set for release in Oct 2008, the question is now - when, if ever it is to be released? We reported on finding the test site back in Dec 2008 "Reminder to all... Do not put your test website online" http://www.recruitmentdirectory.com.au/Blog/reminder-to-all-do-not-put-your-test-website-online-a27.html

Unfortunately the RCSA has chosen to use Drupal CMS (Content Management System) to power their new website. Drupal is a widely used CMS, but prone to many security issues http://drupal.org/security

I hope the RCSA can keep up with the security patches, as I do not feel my own membership data is safe.

The RCSA's aim "is to increase the profile and professionalism of the sector" but its ability to do so has been impeded by the information security on its own website. This security failure has not gone unnoticed within the industry and needs to be fixed immediately before it becomes another laughing stock like recent issues with Monster and the NSW Government Job Board.

Principle 4 of the National Privacy Principles (part of the Privacy Act), required an organisation to: "take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure".

This is also echoed in the RCSA's own Code of Conduct, which says "take reasonable steps to maintain the confidentiality and privacy of candidate, client and member information".

The current issues add weight to my stance that the RCSA does not understand technology and how it is used within the online recruitment industry. It could use some advice from its own members and suppliers, who are professional experts in these areas.

So what are these errors?
  • The server directory listings were left turned on, which allowed anyone to browse files, as well as data on the server (much like using Windows Explorer to navigate through files) this was occurring between Dec 2008 - Jan 2009
  • Drupal's config file that stores the sites FTP and Database details was left open and not CHMOD'd
  • The RCSA site has a "bridge" module which integrates the CMS with its backend CRM (Customer Relationship Management) Database to allow members to sign up/in and change their own details on the database.
  • This custom module was created by 3rd party developers for the RCSA and stupidly still contains the server FTP Username/Password as well as the RCSA's Database Username/Password
We have not used any penetration or hacking tools to access any files or data. All the information was freely available on their website.

The following publically available file shows the source code for the bridge module. Note: We have removed the usernames, passwords, and URLs needed to access information on the CMS and CRM.

VIEW CODE FILE HERE

What now?

The RCSA should be a leader for the industry on information security. It is an area where it should work with its members to prevent unauthorized access and help them protect themselves.
  • Immediately take down and remove the new site. Fix the security errors with the 3rd party developers
  • Immediately investigate a professional grade CMS which will be more robust and secure.
  • Immediately inform members about this issue and what data has been accessed, modified or deleted



Article URL: http://www.recruitmentdirectory.com.au/Blog/rcsa-website-security-will-become-an-industry-nightmare-a98.html

Article Tags:

Comments Hide Comments (0)

Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.

Your Name: * Required
Your Email Address: * Required
Website URL:
Comments: * Required
Refresh
Enter the code you see in the image above (case sensitive). Click on the image to refresh it.
 


Back to Menu Back to Menu



Random Blog Articles

Translating Recruitment Software
Published: 12:30pm Wednesday 14 October 2009

Recruitment Agency Websites
Published: 9:58pm Monday 05 January 2009

Gartner's 2009 Magic Quadrant for E-Recruitment Software report
Published: 5:50pm Thursday 10 December 2009

Radio Interview - Great jobs and where to find them
Published: 12:36pm Monday 16 March 2009

Recruitment Directory releases white label iPhone job search applications
Published: 10:00am Friday 07 August 2009