Jump to content
Sign in to follow this  

[Slashdot] - Programmer Discovers Unprotected Access to State's Jobless Claims Portal's Admin Mode

Recommended Posts

Long-time Slashdot reader bbsguru shares a story from the alternative newsweekly the Arkansas Times. "A computer programmer applying for unemployment on Arkansas's Pandemic Unemployment Assistance program discovered a vulnerability in the system that exposed the Social Security numbers, bank account and routing numbers and other sensitive information of some 30,000 applicants. "Anyone with basic computer knowledge could have accessed personal information for malicious purposes." Alarmed, the computer programmer called the Arkansas Division of Workforce Services Friday morning and was told by an operator that there was no one available who could talk to him. He then tried someone at the Arkansas State Police Criminal Investigation Division, who told the programmer he would find the person he needed to talk with to fix the situation. The programmer later called the Arkansas Times for advice on whom to call. The Times alerted the Division of Workforce Services to the issue at 4:30 p.m. Soon after a message appeared on the website that said, "The site is currently under maintenance...." In exploring the website, the computer programmer determined that by simply removing part of the site's URL, he could access the administrative portal of the site, where he had the option of editing the personal information of applicants, including bank account numbers. From the admin portal, he viewed the page's source code and saw that the site was using an API (application programming interface) to connect with a database. That API was also left unencrypted, and he could access all of the applicants' raw data, included Social Security numbers and banking information... The computer programmer said he thought he could have programmed a script that would gather all of the information from the API in under an hour.

twitter_icon_large.png facebook_icon_large.png

Read more of this story at Slashdot.


View the full article

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...

Important Information

By using The Great Escaped Online Community, you agree to our Privacy Policy and Terms of Use