Your Web News in One Place

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
May 16, 2020 04:34 pm

Programmer Discovers Unprotected Access to State's Jobless Claims Portal's Admin Mode

Long-time Slashdot reader bbsguru shares a story from the alternative newsweekly the Arkansas Times. "A computer programmer applying for unemployment on Arkansas's Pandemic Unemployment Assistance program discovered a vulnerability in the system that exposed the Social Security numbers, bank account and routing numbers and other sensitive information of some 30,000 applicants. "Anyone with basic computer knowledge could have accessed personal information for malicious purposes."Alarmed, the computer programmer called the Arkansas Division of Workforce Services Friday morning and was told by an operator that there was no one available who could talk to him. He then tried someone at the Arkansas State Police Criminal Investigation Division, who told the programmer he would find the person he needed to talk with to fix the situation. The programmer later called the Arkansas Times for advice on whom to call. The Times alerted the Division of Workforce Services to the issue at 4:30 p.m. Soon after a message appeared on the website that said, "The site is currently under maintenance...." In exploring the website, the computer programmer determined that by simply removing part of the site's URL, he could access the administrative portal of the site, where he had the option of editing the personal information of applicants, including bank account numbers. From the admin portal, he viewed the page's source code and saw that the site was using an API (application programming interface) to connect with a database. That API was also left unencrypted, and he could access all of the applicants' raw data, included Social Security numbers and banking information... The computer programmer said he thought he could have programmed a script that would gather all of the information from the API in under an hour.

Read more of this story at Slashdot.


Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/kvW4FfiduIM/programmer-discovers-unprotected-access-to-states-jobless-claims-portals-admin-mode

Share this article:    Share on Facebook
View Full Article

Slashdot

Slashdot was originally created in September of 1997 by Rob "CmdrTaco" Malda. Today it is owned by Geeknet, Inc..

More About this Source Visit Slashdot