The platform categorized as a Human Capital Management HCM or human capital management tool allows companies to manage their staff and is used by large corporations, as indicated on its official website. The bug in question was found by researchers Mauricio Santos and Hori, both from security firm Under Protection, who shared first-hand details of the incident with The Hack. The problem resides in the fact that, when using a specific parameter in the URL where the software is installed, it is possible to enter the system with administrator privileges without the need to authenticate in the login screen.
The error exists in Rubi web builds The vulnerability in short exploits a flaw in the application’s simple parameter passing, which results in an unauthenticated query and directly with the user being used by the application to access data in the database. where the user configured to use the application is highly privileged, several accesses are granted, making the situation executive list worse explains That is in addition to not requesting the necessary authentication, the universe set of exposed data makes the failure dangerous in times of concern about the LGPD. No one wants to have their payroll exposed to the entire internet, he continues. easy to explore According to experts, Senior was alerted to the flaw registered under on December but it was only disclosed.
The failure was treated by the manufacturer as a deployment configuration failure. Several companies use the system but do not expose it to the internet or on other ports, but with some indexing and dorks it is possible to find search patterns”, adds Following the steps for exploiting the flaw, we were able to find, through a simple Google search, a company using a vulnerable version of — by using the parameters indicated by the researchers in the platform installation URL, we confirmed the ease of entering the system to exploit sensitive data. We had access to the list of collaborators, vacation calendar, financial calculations and various reports without having to enter a login and password. To safeguard the security of your data The Hack will not disclose the name of the affected corporation.