[guessmyname]

> Email addresses, Job titles, Names, Phone numbers, Physical addresses, Social media profiles

I just got the email notification from HIBP (Have I Been Pwned) a few minutes ago [1], but I am not worried about the compromised data because 1) my personal email address, job title and phone number are all visible in my resume which is publicly available in my website, I actually encourage people —mostly tech recruiters— to download the PDF and contact me via email or phone all the time and 2) my physical address is irrelevant because I have been moving houses every year for the last seven (7) years (even across countries a couple of times. All the social media accounts I have are completely empty, I just keep them around to get a hold on to my nickname.

I recently found, in my website’s HTTP logs, several requests from a web crawler controlled by ZoomInfo [3] an American subscription-based software as a service (SaaS) company that sells access to its database of information about business people and companies to sales, marketing and recruiting professionals. I was going to configure my firewall to block these requests but then I remembered —hey! my website only has information I am comfortable sharing, so it doesn’t matter— but I’ve been thinking it is just a matter of time before someone hacks one of their systems and leaks their database.

In my previous-previous job I found a fairly simple (persistent) XSS vulnerability in BambooHR that allowed non-authorized users to access data from all employees registered in the website including Social Security Numbers (SSN). I told my boss and we immediately edited everything before migrating to a different system. We never knew if BambooHR fixed the vulnerabilities and I wouldn’t be surprised if the data was leaked before or after I found the security hole.

Software security is such a Whac-A-Mole game, even if you get the budget to conduct security audits on your code, there is always going to be a weak link somewhere in the chain and that will be your doom. This is one of the many reasons why I left that job as a Security Engineer, the other reasons were Meltdown [3] and Spectre [4] they both made me realize I was fighting for a lost cause.

[1] https://haveibeenpwned.com/NotifyMe

[2] https://en.wikipedia.org/wiki/ZoomInfo

[3] https://en.wikipedia.org/wiki/Meltdown_%28security_vulnerabi...

[4] https://en.wikipedia.org/wiki/Spectre_%28security_vulnerabil...

[cpv]

> Email addresses, Job titles, Names, Phone numbers, Physical addresses, Social media profiles

Probably these can have a different impact if your threat model is a bit different (money, status, living area, position held, etc).

Reminds me the story about an investigative reporter known in these parts, who was swatted: https://krebsonsecurity.com/2013/03/the-world-has-no-room-fo...

or received a drug package from an investigated person, basically it was a trap: https://krebsonsecurity.com/2015/10/hacker-who-sent-me-heroi...

The journalist knew about this and informed the police beforehand. Happy end.

To add a little more, I have seen people posting on social media answers to posts like "your favorite car, your place of birth, name of mother, name of pet". Guess who uses those words for similar secret questions?

Some personal identifiable information can be used to fabricate fake IDs, for various purposes.

And if we have a linked graph with all the personal, job, address, interacted people, geo-places, etc, it can get creepy (sounds like Facebook, but much more open).

Not saying we all should get paranoid, but leaked data could be used in different ways.

[sirius87]

The BambooHR theory is interesting. I looked up email addresses of co-workers at a startup I worked for a few years ago (Jul'15-Jun'16). I was with them earlier in 2012-13. My work email isn't there. But the slice of people between Apr'13-Jul'15...all there. I guess we ran through a bunch of HR software during the period, BambooHR being one of them. So either it's a subset of BambooHR or its some other product a bunch of people at my workplace signed up for.

[nucleardog]

Our company's been on BambooHR for 3-4 years now I think (me personally for a little over two). Can't find any of our company's addresses in there. So either partial or old if that's where it came from.

Others are saying they've found data from as recently as mid-2019, so could be possible that the reason it's so hard to find a source is that this is multiple sources. Looking at this as a dump from some sort of contact manager, could see this being a dump from some sales guy's CRM or something where he'd imported multiple datasets as potential leads alongside his personal contacts.

[Thoughtful]

On the BambooHR issue, can you elaborate a bit more?

[guessmyname]

BambooHR is written in PHP and as it is widely known PHP allows incompetent programmers to create insecure websites. The majority of BambooHR pages are loaded by referencing a page ID, for example, you can access this URL [1] to render a form that allows you to send documents to arbitrary e-mail addresses, and this URL [2] allows you to edit your own profile.

So far so good, if you are a competent PHP programmer (or any other programming language) you make sure these IDs are not consecutive to avoid enumeration attacks, but even if they are part of a guessable sequence you can still secure them by restricting access to all pages except the ones associated to the user ID in the session.

The vulnerabilities I found were a combination of Path Traversal [3], Forced Browsing [4] and Stored Cross Site Scripting [5] that allowed anyone to 1) force a specific PHP file to load arbitrary pages, 2) access data associated to other employee identifiers and 3) send all documents associated to these employee IDs to arbitrary emails by accessing the “Email File” page and crafting a simple HTTP request to bypass a rudimentary form validation.

When I told my boss he continued the investigation and found that we could access certain amount of data associated to employees registered in other subdomains. People who are familiar with BambooHR will understand how stupid this specific problem is considering each subdomain is isolated from the others, so one would expect them to isolate the databases as well.

I don’t know anything about the architecture of their system so I cannot explain why these security holes allowed us to access data from other companies. I was very scared to continue digging into it and my boss was super pissed off. We didn’t know if they used soft deletes so instead of removing the company’s data we decided to edit it with garbage information, then we migrated to another system.

And that was the end of our story with them. We never reported the problems because I started my “research” without previous authorization from BambooHR so if we reported our findings they could sue my employer and we would be in bigger problems. Same thing happened when we found a vulnerability on HipChat [6] in 2014 or so, we reported it and they got super angry at us for conducting that penetration test without permission, the company made an agreement with them and we migrated to Slack.

Good luck to anyone whose employer is still using BambooHR to manage their employee database.

[1] /ajax/employees/files/email_file.php?id=19

[2] /employees/employee.php?id=EMPLOYEE_ID&page=PAGE_ID

[3] https://owasp.org/www-community/attacks/Path_Traversal

[4] https://owasp.org/www-community/attacks/Forced_browsing

[5] https://owasp.org/www-community/attacks/xss/

[6] https://en.wikipedia.org/wiki/HipChat

[gtsteve]

> PHP allows incompetent programmers to create insecure websites.

The points you bring up are good but my first instinct was to distrust you as you opened with that. I don't believe any specific shortcoming of PHP makes these issues more or less likely. Anyone can make an insecure website in any language.

Secondly I don't think I quite agree with the ethics of dropping a security vulnerability in a public forum. I think you should edit this message to remove the details and go through the proper channels to get this resolved, if it is indeed still a problem.

[Nextgrid]

Bare PHP (without any framework) and the tons of bad advice surrounding it make it easier to screw up than other languages where it's very hard to do web development without a framework so most beginners start off with a framework directly which provides structure and guard-rails against doing insecure things.

[fragmede]

I mean, you're not wrong, but starting the post off by insulting PHP is childish and doesn't inspire trust that the rest of the report is worth reading.

[fragmede]

Personally, the ethics of it are secondary to the fact that BambooHR could, sue HN to recover the IP address guessmyname used to post, followed by suing their ISP to get an address, and then trawl through their records/backups to link it to an individual. Now, BambooHR may not be run by assholes (I've never encountered them before), and choose to fix the bug quietly rather than go after "guessmyname" with a lawsuit, but companies are not known for being especially insightful when computer security comes up. (Such as the HipChat example mentioned.)

Hopefully guessmyname always uses VPN/public hotspot to access this site, if it turns out that BambooHR is run by litigious jerks.

[notwhereyouare]

I reviewed them when looking for a HR provider...thankfully they didn't offer everything I was looking for. But man, that's scary