Jobvite, a recruiting platform for the social web, is found vulnerable to the most common, but critical web application vulnerabilities that could allow an attacker to compromise and steal the database of the company’s website.
Jobvite is a Social recruiting and applicant tracking created for companies with the highest expectations of recruiting technology and candidate quality. Growing companies use Jobvite’s social recruiting, sourcing and talent acquisition solutions to target the right talent and build the best teams.
An independent security researcher Mohamed M. Fouad from Egypt, has found two major flaws in Jobvite website that could be used by an attacker to comprise the company’s web server. As a responsible security researcher, Fouad also reported the critical flaws three months ago to the Jobvite team, but the company didn’t fix it till now.
According to Fouad, Jobvite is vulnerable to Boolean SQLi (SQL injection) and LFI (local file inclusion) vulnerabilities, which he found was one of the best security vulnerabilities he has ever discovered.
SQL INJECTION VULNERABILITY
SQLi or SQL injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. The attackers take advantage of improper coding of your web applications that allows them to inject SQL commands into, say, a login form to allow them to gain access to the data held within your database.Mohamed told The Hacker News that SQLi vulnerability in the Jobvite website allows him to gain access to the company’s website database which includes the confidential data of its admin users (jobvite employees) along with their emails, hashing salt and hashed passwords.
Using Jobvite LFI vulnerability an attacker can get access to the critically important files stored on the web server i.e. /etc/passwd or /etc/hosts. Fouad used the LFI flaw which allowed him to view all the company’s LINUX server user accounts exists.
SQLi VULNERABILITY STILL GOES UN-PATCH
According to Fouad, the company has not given any acknowledgment regarding SQLi flaw, neither has fixed it yet, that left Jobvite CMS database vulnerable to hackers.
When The Hacker News asked Fouad about the fixes, he replied, “I think they fixed LFI because it’s not working now but during my attack I got all LINUX USERS. But The site is still vulnerable to the SQLi vulnerability.”
“I approached the company 6 times during the last 4 months but I got no reply specifically from “Mahesh,” the security consultant, Jobvite security. I dont know what about their plan for SQLi fix but the last reply was 4 months ago,” he added.
Fouad believes that this critical vulnerability may also impact Odesk website due to the integration between them but he is still investigating the issue.UPDATE
Jobvite’s CTO ‘Adam Hyder’, told The Hacker News that the website is using “SilverStripe” an open source CMS to hosts Jobvite marketing content only.”Our corporate site does not contain any application or customer data. Jobvite application and customer data are completely secure.” he said.But SQL Injection vulnerability in the SilverStripe CMS exposes the jobvite login employee’s credentials to an attacker.
SilverSprite told researcher that the SQLi vulnerability exists in the Jobvite’s website because of their own custom codes, not originated from default CMS.