50,000 CVs sent to Virgin Media UK Exposed on internet

[Qtx]

Looks like someone forgot to disable directory browsing on the web server, allowing anyone to remove part of the url and then see all the uploaded CV's.

Quote:

Virgin Media has shuttered a kindergarten-grade bug in a third party website that exposed up to 50,000 résumés it's received over the years, complete with names, street and email addresses of applicants.

The vulnerability was due to entirely absent access controls on a public server to which applicants were directed to upload their résumés.

British student hacker Alikhan Uzakov (@alikhan_uzakov) found he was able to peruse the entire directory without restraint or being challenged to log in.

"About 30,000 to 50,000 applications, past and present, were accessible," Uzakov says in a blog.

"Personal information including telephone numbers, emails, where someone lives, and other details were out there in the open: my personal information was exposed as well

Full Story: http://www.theregister.co.uk/2016/10...50000_resumes/

[pip08456]

Quote:

Originally Posted by Qtx

Looks like someone forgot to disable directory browsing on the web server, allowing anyone to remove part of the url and then see all the uploaded CV's.



Full Story: http://www.theregister.co.uk/2016/10...50000_resumes/

He should take them to court for breaching the data protection act.