Select Website 

Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!

Back to Menu Back to Menu

RCSA website security will become an industry nightmare

Posted By: Thomas Shaw, 3:48pm Thursday 05 February 2009    Print Article

We have uncovered various security errors with the new RCSA http://www.web.rcsa.com.au website within 5 minutes of playing with it. Originally set for release in Oct 2008, the question is now - when, if ever it is to be released? We reported on finding the test site back in Dec 2008 "Reminder to all... Do not put your test website online" http://www.recruitmentdirectory.com.au/Blog/reminder-to-all-do-not-put-your-test-website-online-a27.html

Unfortunately the RCSA has chosen to use Drupal CMS (Content Management System) to power their new website. Drupal is a widely used CMS, but prone to many security issues http://drupal.org/security

I hope the RCSA can keep up with the security patches, as I do not feel my own membership data is safe.

The RCSA's aim "is to increase the profile and professionalism of the sector" but its ability to do so has been impeded by the information security on its own website. This security failure has not gone unnoticed within the industry and needs to be fixed immediately before it becomes another laughing stock like recent issues with Monster and the NSW Government Job Board.

Principle 4 of the National Privacy Principles (part of the Privacy Act), required an organisation to: "take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure".

This is also echoed in the RCSA's own Code of Conduct, which says "take reasonable steps to maintain the confidentiality and privacy of candidate, client and member information".

The current issues add weight to my stance that the RCSA does not understand technology and how it is used within the online recruitment industry. It could use some advice from its own members and suppliers, who are professional experts in these areas.

So what are these errors?
  • The server directory listings were left turned on, which allowed anyone to browse files, as well as data on the server (much like using Windows Explorer to navigate through files) this was occurring between Dec 2008 - Jan 2009
  • Drupal's config file that stores the sites FTP and Database details was left open and not CHMOD'd
  • The RCSA site has a "bridge" module which integrates the CMS with its backend CRM (Customer Relationship Management) Database to allow members to sign up/in and change their own details on the database.
  • This custom module was created by 3rd party developers for the RCSA and stupidly still contains the server FTP Username/Password as well as the RCSA's Database Username/Password
We have not used any penetration or hacking tools to access any files or data. All the information was freely available on their website.

The following publically available file shows the source code for the bridge module. Note: We have removed the usernames, passwords, and URLs needed to access information on the CMS and CRM.

VIEW CODE FILE HERE

What now?

The RCSA should be a leader for the industry on information security. It is an area where it should work with its members to prevent unauthorized access and help them protect themselves.
  • Immediately take down and remove the new site. Fix the security errors with the 3rd party developers
  • Immediately investigate a professional grade CMS which will be more robust and secure.
  • Immediately inform members about this issue and what data has been accessed, modified or deleted



Article URL: http://www.recruitmentdirectory.com.au/Blog/rcsa-website-security-will-become-an-industry-nightmare-a98.html

Article Tags:

Comments Hide Comments (0)

Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.

Your Name: * Required
Your Email Address: * Required
Website URL:
Comments: * Required
Refresh
Enter the code you see in the image above (case sensitive). Click on the image to refresh it.
 


Back to Menu Back to Menu



Random Blog Articles

Use of Flash Animations in Recruitment Sites
Published: 2:41pm Thursday 22 January 2009

Interview with Jane Damon from Chameleon-i
Published: 1:22pm Tuesday 27 January 2009

What should you build first - mobile website or native app?
Published: 7:57am Thursday 24 March 2011

Apply for a job by attaching your LinkedIn profile
Published: 12:04pm Tuesday 15 June 2010

Radio Interview - Online Recruitment in a web 2.0 world
Published: 9:35pm Monday 11 May 2009