Hack of Irish job site exposes user names, addresses Employment search site RecruitIreland.com has reopened its doors following a security breach that exposed users' names and email addresses. The site, which claims to add 350 new users each day and email a newsletter to 170,000 registered job candidates, warned that some clients were already receiving spam that tried to recruit …
Hackers got first name, last name and an email address. I was a victim of the subsequent phishing attack which was pretty amateurish. But it does illustrate (yet again) that some sites really aren't paying as much attention to keeping their data safe as they should. This is especially true of sites which deal with real world names and data. It's one thing to have a pseudo hacked on a forum, it's quite another when spammers have your info in real life.
Yes, I got one of these e-mails. I'm glad I now know what it was all about. Looking at the thing rang alarm bells and I just deleted it, I have also deleted my account with RecruitIreland. I haven't used it in years and sheer inertia kept it going. So in one way the spammers did me a small service.
I've been recieving spam for the address I've used on jobsite, for years. I never
saw action or apology from jobsite when it started. Has recruitireland actually apologised to its subscribers?
Well done el Reg - no spam to the address I use with you and long may it remain so.
I stopped using Monster because I have been getting lots of junk email ever since I used Monster. I am hoping that jobsite and a few others will be helpful in job hunting. The worst are JAM. I have been getting all sorts of useless jobs coming my way from them. I only just finished university, I don't think I will be able to get a 60k first job!
Don't get me started on job agencies and how they love to mangle CVs.
Back when the Irish Tiger was looking like less of a paper tiger, I considered getting a job in the Irish IT jobs market and became familiar with quite a few Irish job websites. RecruitIreland was definitely one of them. Now (because this was about 2001/2) many websites were still heavily IE5/6-orientated, and so if you couldn't run that browser (because of your choice of operating system) you'd become quite adept at knocking up local forms to POST data at the sites using the browser that you could use, in order to navigate in it and submit your applications. It took a bit of digging through source HTML and working out how the Javascript would have worked, but it was all good practice.
RecruitIreland weren't unique in this respect - Monster and all the others were also flakey - (the early years of this century, are not proud ones, for the IT industry ) but after a while of hacking your way in and reading dreadful spaghetti Javascript on these sites, to locate the variables and values you needed to send, for your next submission, your natural curiousity would get the better of you and you'd start seeing how strong they were against simple things like SQL-injection.
Now, I *seem* to recall RecuitIreland as being one of the ones that would respond to simple "Anything' or 'x'='x'" type submissions (basic security 101 stuff), by sending back XML stacks of user data. I quite recall my surprise, the first time it happened: it was all indented properly, and had namespace references, and everything. This was really pretty XML.
It didn't do this of you used the forms on the website itself, so I'm guessing some sort of client-side validation was involved (there was a mass of Javascript, involved, and half the includes actually 404'ed when you went to look at them: this wasn't 'security through obscurity', so much, as 'security through sheer exhaustion').
I only got it to send me back my own data (including values I had submitted on previous sessions, though, so it was definitely coming from a datastore, somewhere) but I wasn't pursuing it with any rigour (I wasn't trying to get a job with a recruitment website: I was mainly applying for jobs with banks, in fact...! Just think: Irish banks. Seemed like a pretty good bet, at the time. How things have changed!)
I didn't know what to make of this XML-squirting behaviour. AJAX didn't exist (as a web 2.0 buzzword, at least), and so I just guessed that what I was seeing was intended for some sort of VB application they were using internally. year later, I realised that it may have been an early example of the use of an XMLHTTP object for asynchronous page loading, since I remember that the site in question didn't work in IE 4, either.
It was a lot of years ago, and it may have been completely unrelated to this story - but it does illustrate how basic security will fix 90% of the problem, and that one of the best excuses for coding to standards, is that it stops you from being interesting enough to look at, in the first place.
I wrote to the site maintainers, at the time, telling them about this odd behaviour, but never got any acknowledgement (I never got a job in an Irish bank, either, but in hindsight that may not have been such a bad thing).
I just changed my password over at Monster. The new password is POSTed over an UNENCRYPTED connection.
Isn't that comforting? I just spent two weeks implementing a custom user security system for my new user registration application that I built from the ground up, with SSL, passwords stored with SHA256 & salt,, multiple security redundancies... and here Monster can't be bothered to apply the basics.
@ Jan 0: yes, Recruit Ireland emailed its subscribers to apologise for the security breach. Haven't visited their website, but their Facebook page carried the apology as well. Not sure if my details were hacked, I suppose I'll know when I get some dodgy job offers!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
