Graduate recruitment site exposed 50,000 CVs sent to Virgin Media UK

Kid schools telco: 'So have you heard of access controls?'

28 Reg comments Got Tips?

Virgin Media has shuttered a kindergarten-grade bug in a third party website that exposed up to 50,000 résumés it's received over the years, complete with names, street and email addresses of applicants.

The vulnerability was due to entirely absent access controls on a public server to which applicants were directed to upload their résumés.

British student hacker Alikhan Uzakov (@alikhan_uzakov) found he was able to peruse the entire directory without restraint or being challenged to log in.

"About 30,000 to 50,000 applications, past and present, were accessible," Uzakov says in a blog.

"Personal information including telephone numbers, emails, where someone lives, and other details were out there in the open: my personal information was exposed as well.

"The problem is patched now but had I been someone with malicious intentions, I could have done a lot more and might not have reported it at all."

Uzakov phoned Virgin Media's London Hammersmith office to report the flaw and "walked" a security engineer through resolving the mind-bending bug.

He says Virgin Media would not comment on the vulnerability nor award him a bug bounty or name recognition for the bug.

The graduate recruitment site has been fixed and is back online. ®


Biting the hand that feeds IT © 1998–2020