RCSA website security will become an industry nightmare


Posted By: Thomas Shaw, 3:48pm Thursday 05 February 2009

We have uncovered various security errors with the new RCSA http://www.web.rcsa.com.au website within 5 minutes of playing with it. Originally set for release in Oct 2008, the question is now - when, if ever it is to be released? We reported on finding the test site back in Dec 2008 "Reminder to all... Do not put your test website online" http://www.recruitmentdirectory.com.au/Blog/reminder-to-all-do-not-put-your-test-website-online-a27.html

Unfortunately the RCSA has chosen to use Drupal CMS (Content Management System) to power their new website. Drupal is a widely used CMS, but prone to many security issues http://drupal.org/security

I hope the RCSA can keep up with the security patches, as I do not feel my own membership data is safe.

The RCSA's aim "is to increase the profile and professionalism of the sector" but its ability to do so has been impeded by the information security on its own website. This security failure has not gone unnoticed within the industry and needs to be fixed immediately before it becomes another laughing stock like recent issues with Monster and the NSW Government Job Board.

Principle 4 of the National Privacy Principles (part of the Privacy Act), required an organisation to: "take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure".

This is also echoed in the RCSA's own Code of Conduct, which says "take reasonable steps to maintain the confidentiality and privacy of candidate, client and member information".

The current issues add weight to my stance that the RCSA does not understand technology and how it is used within the online recruitment industry. It could use some advice from its own members and suppliers, who are professional experts in these areas.

So what are these errors?
We have not used any penetration or hacking tools to access any files or data. All the information was freely available on their website.

The following publically available file shows the source code for the bridge module. Note: We have removed the usernames, passwords, and URLs needed to access information on the CMS and CRM.

VIEW CODE FILE HERE

What now?

The RCSA should be a leader for the industry on information security. It is an area where it should work with its members to prevent unauthorized access and help them protect themselves.