Select Website 

Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!

Back to Menu Back to Menu

RCSA website security will become an industry nightmare

Posted By: Thomas Shaw, 3:48pm Thursday 05 February 2009    Print Article

We have uncovered various security errors with the new RCSA website within 5 minutes of playing with it. Originally set for release in Oct 2008, the question is now - when, if ever it is to be released? We reported on finding the test site back in Dec 2008 "Reminder to all... Do not put your test website online"

Unfortunately the RCSA has chosen to use Drupal CMS (Content Management System) to power their new website. Drupal is a widely used CMS, but prone to many security issues

I hope the RCSA can keep up with the security patches, as I do not feel my own membership data is safe.

The RCSA's aim "is to increase the profile and professionalism of the sector" but its ability to do so has been impeded by the information security on its own website. This security failure has not gone unnoticed within the industry and needs to be fixed immediately before it becomes another laughing stock like recent issues with Monster and the NSW Government Job Board.

Principle 4 of the National Privacy Principles (part of the Privacy Act), required an organisation to: "take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure".

This is also echoed in the RCSA's own Code of Conduct, which says "take reasonable steps to maintain the confidentiality and privacy of candidate, client and member information".

The current issues add weight to my stance that the RCSA does not understand technology and how it is used within the online recruitment industry. It could use some advice from its own members and suppliers, who are professional experts in these areas.

So what are these errors?
  • The server directory listings were left turned on, which allowed anyone to browse files, as well as data on the server (much like using Windows Explorer to navigate through files) this was occurring between Dec 2008 - Jan 2009
  • Drupal's config file that stores the sites FTP and Database details was left open and not CHMOD'd
  • The RCSA site has a "bridge" module which integrates the CMS with its backend CRM (Customer Relationship Management) Database to allow members to sign up/in and change their own details on the database.
  • This custom module was created by 3rd party developers for the RCSA and stupidly still contains the server FTP Username/Password as well as the RCSA's Database Username/Password
We have not used any penetration or hacking tools to access any files or data. All the information was freely available on their website.

The following publically available file shows the source code for the bridge module. Note: We have removed the usernames, passwords, and URLs needed to access information on the CMS and CRM.


What now?

The RCSA should be a leader for the industry on information security. It is an area where it should work with its members to prevent unauthorized access and help them protect themselves.
  • Immediately take down and remove the new site. Fix the security errors with the 3rd party developers
  • Immediately investigate a professional grade CMS which will be more robust and secure.
  • Immediately inform members about this issue and what data has been accessed, modified or deleted

Article URL:

Article Tags:

Comments Hide Comments (0)

Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.

Your Name: * Required
Your Email Address: * Required
Website URL:
Comments: * Required
Enter the code you see in the image above (case sensitive). Click on the image to refresh it.

Back to Menu Back to Menu

Random Blog Articles

Creating Adobe AIR Job Search Applications
Published: 6:30pm Sunday 22 November 2009

How to confuse a job seeker
Published: 11:42am Monday 22 March 2010

Creating an Effective Social Media Strategy, Part 9 - Evaluate Impact, Donít Continue Blindly
Published: 6:09pm Friday 04 September 2009

SMS referral programs
Published: 3:38pm Tuesday 12 January 2010

RCSA website security will become an industry nightmare
Published: 3:48pm Thursday 05 February 2009