Student applies for job at Virgin Media and discovers huge website security flaw in the process
Virgin Media said it will not offer a bug bounty for finding the third-party flaw.
A student uncovered a security vulnerability in the job placement website of Virgin Media that allegedly exposed "about 30,000 to 50,000" applications featuring personal information such as names, home addresses, email details and telephone numbers.
In a blog post published on Twitter's Medium platform, Alikhan Uzakov, a student and self-described hacker claimed to have uncovered the flaw while job-hunting. Virgin Media, for its part, was thankful for the responsible reporting, however it declined to offer a reward.
"Whilst I was filling out an application form for Virgin Media, I was offered the option to see my uploaded CV. What happened was quite surprising," Uzakov said. The URL revealed a directory where my CV was stored."
He continued: "When I opened the directory I was able to see all past and present applications. This was a broken access control. In layman terms this means that access to certain data was allowed without authorisation.
"About 30,000–50,000 applications, past and present, were accessible. Personal information including telephone numbers, emails, where someone lives, and other details were out there in the open: my personal information was exposed as well."
Uzakov said he then reported the issue, first via the Virgin Media Twitter account then by contacting the firm's London offices. After speaking to a security engineer the researcher said Virgin moved quickly to patch the security problem.
"Virgin resolved it, but unfortunately despite talks of some sort of recognition for my work, I was informed [...] I would not receive a reward nor public recognition," Uzakov said. A spokesperon reportedly told him: "At the moment there is no programme to reward people for finding vulnerabilities."
At the time of writing, the job placement application webpage is displaying a 404 message and is not accessible. "Our graduate and intern application site is currently undergoing maintenance – but don't panic!! Our team are fixing the issue now," it reads.
In a statement to IBTimes UK, a Virgin Media spokesperson said: "Virgin Media works with a third party that provides an online application service for graduates wishing to apply for Virgin Media jobs.
"After a vulnerability on the third party company's website was identified, the website was suspended and the issue is being fixed. The service will be resumed soon. Virgin Media's systems were not affected in any way."
The tech-savvy student told IBTimes UK he was not speaking out to attack Virgin Media but instead to "promote openness." In the blog post, he elaborated: "The problem is patched now but had I been someone with malicious intentions I [...] might not have reported it at all."
"Maybe we should try to promote a more open approach where people are being rewarded for good actions and public recognition through open media rather than trying to hide the fact that sometimes we all make mistakes."
© Copyright IBTimes 2024. All rights reserved.