Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Bug Government Privacy Programming

Programmer Discovers Unprotected Access to State's Jobless Claims Portal's Admin Mode (arktimes.com) 50

Long-time Slashdot reader bbsguru shares a story from the alternative newsweekly the Arkansas Times. "A computer programmer applying for unemployment on Arkansas's Pandemic Unemployment Assistance program discovered a vulnerability in the system that exposed the Social Security numbers, bank account and routing numbers and other sensitive information of some 30,000 applicants.

"Anyone with basic computer knowledge could have accessed personal information for malicious purposes." Alarmed, the computer programmer called the Arkansas Division of Workforce Services Friday morning and was told by an operator that there was no one available who could talk to him. He then tried someone at the Arkansas State Police Criminal Investigation Division, who told the programmer he would find the person he needed to talk with to fix the situation. The programmer later called the Arkansas Times for advice on whom to call. The Times alerted the Division of Workforce Services to the issue at 4:30 p.m. Soon after a message appeared on the website that said, "The site is currently under maintenance...."

In exploring the website, the computer programmer determined that by simply removing part of the site's URL, he could access the administrative portal of the site, where he had the option of editing the personal information of applicants, including bank account numbers. From the admin portal, he viewed the page's source code and saw that the site was using an API (application programming interface) to connect with a database. That API was also left unencrypted, and he could access all of the applicants' raw data, included Social Security numbers and banking information...

The computer programmer said he thought he could have programmed a script that would gather all of the information from the API in under an hour.

This discussion has been archived. No new comments can be posted.

Programmer Discovers Unprotected Access to State's Jobless Claims Portal's Admin Mode

Comments Filter:
  • Nice... (Score:5, Insightful)

    by Frosty Piss ( 770223 ) * on Saturday May 16, 2020 @11:40AM (#60067500)

    Dude is lucky they didnâ(TM)t have him arrested for hacking.

    • Exactly. It is a mistake to give up your name when exposing this shit.

    • Comment removed based on user account deletion
      • not really. he was trying to do the right thing. good for him.

        Yes, but the saying, "No good deed goes unpunished." didn't come from nowhere.

      • Re:Nice... (Score:4, Informative)

        by HiThere ( 15173 ) <charleshixsn@earthlinkLION.net minus cat> on Saturday May 16, 2020 @01:40PM (#60067804)

        Sorry, but it's happened before. And often.

        • by Kjella ( 173770 )

          Sorry, but it's happened before. And often.

          Well I imagine it has to be 50-50 "wtf who the hell are you poking about it in our systems looking for exploits" and "oh holy shit thank you for bringing this to our attention", I mean at any employer I've had trying to hack their systems and steal data would be a fire-able offense. Many of them jail-able, in fact. If we take this over to the real world, maybe you did burglarize a home and found their drug stash or terror plans or child porn. But to get to that point, you must have been committing a burglar

          • by HiThere ( 15173 )

            There have been people specifically hired to do penetration testing who have been arrested for doing it. In the case that hit the slashdot front pages they eventually got off. That hasn't happened every time.

          • I mean what I'd say in the sane laws way to do it. If you get caught attempting to break in someone's house, there's no excuse. On the other hand, If you, find the threat, and clearly get out undetected. Special consideration should be made for when you risk everything to bring it to the attention of authorities.
    • Re:Nice... (Score:4, Insightful)

      by Njovich ( 553857 ) on Saturday May 16, 2020 @12:29PM (#60067640)

      They can still do it.

    • yeah, he really should have stopped right after finding access to the portal, the fact he then dug further to find account details and look at the connections to the database has left him a very easy target for prosecution.
    • Comment removed based on user account deletion
  • Just go look at the landing page for Arkansas DWS [arkansas.gov]. It just gets worse from there. Old school doesn't apply here. It looks exactly the same today as it did in 2003.
    • Look at the bottom above the logo: "Copyright © 2007 Arkansas Department of Workforce Services"
      The code has not been touched in 13 years.
      • by Revek ( 133289 )
        My daughter was filing a unemployment claim last week and it is exactly the same as it was in 2003. I knew when I saw it that it had been owned before. How many times has someone harvested the information and sold it?
      • by hey! ( 33014 ) on Saturday May 16, 2020 @12:32PM (#60067652) Homepage Journal

        The style sheet is dated March 21, 2007; the javascript library is dated August 15, 2007.

        That said, it's not like people didn't know better back then than to rely on URL obscurity for security. It's not even necessarily the programmer's fault. Maybe they relied on HTTP authentication, which went away with a server upgrade or something.

    • "We take the security and privacy of our applicantâ(TM)s data very seriously," Zoe Calkins, communications director for the Division of Workforce Services, said in an email.

      Then she fell on the floor LHAO...

    • It looks exactly the same today as it did in 2003.

      That's not a problem.

      • by Revek ( 133289 )
        I would bet that it hasn't changed since then. Same buttons same text. Someone may have updated it in 2007 but functionally its the same as it was in 2003. When I used it in 2003 it would only work with internet explorer. They updated in 2007 so it would work with firefox. That is the problem.
        • Being old isn't a problem. The problem is it wasn't built with security in mind. That kind of thing happens with new stuff, too.
    • but that is NOT the site that was compromised. Arkansas currently has two. according to reports, the one that was compromised was just built for this pandemic to take the load off of the main system. guess they got in too big of a hurry to get online.

      I do agree though, the dws site does look like an amateur built it. you should see the pages where you have to log in to get to. it looks terrible but it works. and yes, I live in arkansas drawing unemployment while on furlough.

    • Just go look at the landing page for Arkansas DWS [arkansas.gov]. It just gets worse from there. Old school doesn't apply here. It looks exactly the same today as it did in 2003.

      This is terrifying. I can't imagine typing personal information into that page.
      And I thought Michigan's sites were outdated garbage. Holy crap.

  • by Revek ( 133289 ) on Saturday May 16, 2020 @11:47AM (#60067528)
    From the landing page This site is best suited if used with Microsoft Internet Explorer 6.0 or higher or Mozilla Firefox 2.0.
  • Jesus FUCK! People need to start going to prison for this bullshit.
  • by lasermike026 ( 528051 ) on Saturday May 16, 2020 @01:36PM (#60067796)

    This doesn't have to happen. There are more than enough engineers and coders that would be willing to help states to lock down their systems pro bono. I would.

    • Oh, that's not how government works.

      It's important to shift your perspective when thinking about government/large business. It's not a question of cost. Cost simply isn't a constraint. To a certain extent, the more expensive something is, the better. For some "better" means it's higher quality, for others "better" means it boosts their budgets higher ( and thus, keeps their budgets higher ).

      Regardless, no one wants a product they can get for free.

    • And, on an unemployment web site, you just have to check for skills and say, "Hey, since you're out of work anyway, can we pay you a pittance to fix this site?"
    • What, and put some Government union job at risk? Why do you hate Government employees so? Better put you on a list for EXTRA scrutiny on your State filings...
  • by bjdevil66 ( 583941 ) on Saturday May 16, 2020 @02:15PM (#60067916)

    There are servers and web sites sitting out there that were built over a decade ago by student workers "learning how to code 101" types because state agencies couldn't afford to pay for real professionals.

    I'm actually surprised this isn't reported in the new more often. (Or, there are a lot of programmers who find the holes and don't say anything - or worse.

    Kudos to the guy that made the effort to force the agency to take action.

    • Or there are professional programmers who say "security bugs are no big deal" and even after a huge vulnerability is found, they don't try to improve their programming, they carry on as if nothing happened.
      • As a former security dev that used to teach security dev practises to developers back in the early 2000's it was more that developers thought they knew security. I had more than a few sessions I was supposed to run where the dev leads said they did not need training and that they had solid security already. Usually had to get their management to force them to come and then I would get permission to use their app to demonstrate all the vulnerabilities they had, worst one was a whole team that adamantly refus
        • It's amazing to me that SQL injection is still a thing.

          Anyway recently I saw a case where there was an extremely obvious security bug, so bad that even non-technical people could understand the impact and how to exploit it. The lead developer said, "Our security is good, we just missed one case." I didn't even know how to answer that.
  • Your account number, routing number and name are on every check.

    If you've ever written a check to anyone or done a wire transfer, etc, then you have given that information to someone else. Every check has your name account number and routing number printed on it.

    Yes, it was way fucking stupid they left a huge hole open but there's no critical data lost, if the summary is correct about what was there.

    Can we pretend to be grown up about this stuff and stop going into panic mode over the "hack" of data that's
  • Or should I say: Headline's readings cancer's me given?

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...