News

UK job search website vulnerability allows unchecked job postings

Moriah Sargent, Contributor

Hackers have obtained personal details of more than 70 job applicants by exploiting a flaw in the U.K. government's Universal Jobmatch website. According to U.K. television station Channel 4 News, security checks are not performed on the people who post jobs, and job advertisements go unchecked as well.

A group of hackers seeking to draw attention to the security flaws used clearly false information to register as employers. They then posted a fake advertisement for a cleaning job to the site. Applicants for the job handed over highly sensitive personal details, including national insurance numbers, email addresses, dates of birth, personal addresses and scans of passports. Hackers who are able to collect these kinds of information could easily commit identity fraud, or illegally access applicants' email, bank accounts and other online accounts.

    Requires Free Membership to View

Channel 4 investigators were also able to register to the site within minutes. They have notified the U.K.'s privacy watchdog, the Information Commissioner's Office, of the problem.

User-generated content on forums and other websites has been a growing concern. Basic website security controls scan contributed user content for invalid URLs, malware and malicious script that can cause serious problems. Research issued in May by security firm Imperva highlighted the dangers of user-generated content. Many social media sites run PHP, a common Web development language that can make sites vulnerable to attack.

In a statement about the Jobmatch website, the U.K. Department of Work and Pensions said:

"The site clearly advises jobseekers not to give out personal details like bank accounts or National Insurance numbers until a job offer's been made. Anybody seeking to acquire personal data by publishing fake job adverts should be aware this is potentially an attempt to commit fraud and that is a criminal offence.

"The security of a claimant's data is of the utmost importance to us and we have a number of checks in place when employers register to use the site. Sadly, there will always be a small number of cases where people seek to get around these checks. If someone is being asked for personal information or details beyond their CV [curriculum vitae] we would recommend they alert Jobcentre Plus immediately."

The Universal Jobmatch website can be accessed via the U.K. government portal gov.uk. It was launched on Nov. 19 as a replacement for the Jobcentre Plus website, which Channel 4 News exposed as being vulnerable to fraudsters in 2011.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: