Home
 » ISP News » 
Sponsored

Security Fail Exposed Details of Virgin Media’s UK Job Applicants

Wednesday, October 26th, 2016 (10:11 am) - Score 981
virgin_media_we_take_security_seriously

A security flaw in the third-party service that Virgin Media uses to process new job applications could have exposed the personal CV details of between 30,000 and 50,000 people to the Internet.

A student called Alikhan Uzakov discovered the problem while filling out an application form for the operator (like this one).

At this point he was offered the option to upload his CV, but the URL that this generated also revealed the name of a directory (folder) where his CV was being stored.

Alikhan Uzakov said:

“When I opened the directory I was able to see all past and present applications. This was a broken access control. In layman terms this means that access to certain data was allowed without authorisation. Think of this as if you want to withdraw money and the bank gives you money without any validation who you are, or if you have a debit card on you.

About 30,000–50,000 applications, past and present, were accessible. Personal information including telephone numbers, emails, where someone lives, and other details were out there in the open: my personal information was exposed as well. All this made me very concerned since what was happening violated the Data Protection Act 1998.

As soon as I found that there was a vulnerability I reported it to Virgin Media via Twitter. I didn’t get a reply despite the Virgin Media account being relatively active and tweeting other people. They responded once I gave a call to the central office in London Hammersmith about 24 hours after initial contact.”

The vulnerability has now been fixed and Alikhan had been hoping to get some public recognition, although Virgin Media later informed him that, “At the moment there is no programme to reward people for finding vulnerabilities … we can’t give you a preference over other candidates since it’s unfair.” However VM did proceed to thank him a number of times via phone and email.

A Spokesperson for Virgin Media said (Express):

“After a vulnerability on the third party company’s website was identified, the website was suspended and the issue is being fixed. The service will be resumed soon. Virgin Media’s systems were not affected in any way.”

Alikhan points out that, had he been someone with malicious intent, he could have done a lot more and might not have reported it at all. “The goal of [my] post is to promote more openness … companies should look into their security and maybe reward anyone who finds something wrong and reports it. Vulnerabilities should not be publicly disclosed until patched,” said Alikhan.

We assume that he won’t be getting whatever job he applied for, but it could always be worse (here).

Add to Diigo
Mark Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
17 Responses
  1. Avatar Steve Jones

    Yet another example of an inherently insecure approach to writing web apps. Making what ought to be back-end data directly available to the web server layer is just asking for trouble. It’s an OK approach if you aren’t handling sensitive data, but it’s prone to errors of system administration like this.

    The web/presentation layer and non-sensitive data is should be in a DMZ and the only bit visible to the Internet. Sensitive data and logic should be behind another firewall with strictly controlled interfaces.

    However, it’s a great deal easier (and cheaper) to stuff all this into one layer with direct access to database and shared file systems. This sort of issue will continue to arise.

    Of course nothing is 100% secure, but if application security is handled at the architectural level, it makes it inherently more robust albeit more expensive to develop.

    • Avatar Data Analysis

      Id say its yet another example of anti-social, almost criminal behaviour and expecting to be rewarded for it.

      If he had just noticed a problem and reported it i would support him 100% and say Virgin should hire him immediately. However that is not the case…

      quote”When I opened the directory I was able to see all past and present applications.”

      I assume he must of also opened the files to know they are past applications and C.V’s.

      Basically no different than accidentally leaving your front door open and some pervert walking in while you are out and riffling through your underwear draw.

      Thankfully for a change it seems Virgin will not automatically be hiring for his behaviour. I actually like the quotes of…

      “The vulnerability has now been fixed and Alikhan had been hoping to get some public recognition”

      You have now and congrats you didn’t get the job for it.

      followed up by
      “At the moment there is no programme to reward people for finding vulnerabilities … we can’t give you a preference over other candidates since it’s unfair.”

      Or in other words well done, have a cookies, run along and poke through organisations information without permission elsewhere.

      Too many firms go hiring these untrustworthy cretins when they find something wrong. Sony, Barclays, and the most recent possible example of someone being rewarded for their wrongful behaviour possibly Yahoo.

    • Avatar FibreFred

      And here we have another example of jumping to the defence of virgin by deduction, as predictable as ever.

      Basic rules are if it’s talktalk or virgin the blame lay elsewhere, if it’s BT it’s BT’s fault 100%

      Companies make a living offering pen testing services why don’t people use them?

    • Avatar Data Analysis

      Huh what? The only thing i remotely defended them on was not giving him the job.

      As for the security issue and fault… Virgin are/were completely 100% to blame for it existing no where did i deny that.

      Im not sure how you got me ripping on a demanding he gets a job cretin to defending Virgin. Or why you would think im someone that defends any company over its wrongs.

    • Avatar Data Analysis

      PS before you go off on the personal attack again……

      You may also want to read this, posted at about the same time as you were bashing me here….
      http://www.ispreview.co.uk/index.php/2016/10/bt-launch-1gbps-ultrafast-free-wifi-service-via-kiosks-london.html#comment-171286

      Id say that is a nice post to BT from me.

      Also this, before you posted here…
      http://www.ispreview.co.uk/index.php/2016/10/talktalk-extend-940mbps-ftth-broadband-york-40000-premises.html#comment-171283

      I would not call that being nice to Talk Talk or blaming anyone other than them.

      I doubt this will alter your thinking im one of the many BT only bashers though.

    • Avatar Steve Jones

      To be fair, this is not a Virgin system. It was a third party company providing the service. I wouldn’t 100% blame them unless they didn’t do the due diligence checks for any supplier dealing with sensitive data. It’s impossible to be responsible for all suppliers.

      However, the general point applies. This sort of thing happens due to sloppy designs and shortcuts being taken.

    • Avatar Chris P

      Data Analysis fail

      He clearly states he tweeted them followed by a call 24 hours later. How else was he meant to get there attention, phoning VM support and trying to explain it’s not a problem with his services but a problem with a VM web page? Support would in no way be able to sort that out as there is no script or menu option for that. This guy did the absolute correct thing and looks like he found the correct people to get the problem sorted. I’d give him the job as he shows initiative, understood the severity of the issue and didn’t just give up at the first hurdle, like many of vm’s support bods, and got VM to take action to resolve.

    • Avatar Gordon

      “I’d give him the job….”

      Nobody cares what you would do.

    • Avatar Data Analysis

      ‘He clearly states he tweeted them followed by a call 24 hours later.’

      And before all that he clearly states he rummaged through the data. So your point is what?

      His bank theory as is typical for persons with his mentality is also flawed. Virgin did not give him anything like his fictitious example of a bank giving him money with no validation of who he is.

      If he wants to compare it to a bank what actually happened was he saw a box of money open in the bank, totally unguarded and decided to take some. Nobody gave him the money or information or gave him permission to take it.

      The only thing that makes me sicker and who are more stupid than these self entitled, dimwitted fools are the cretins that support them.

  2. Avatar Eric Cartman

    Data analyst just commenting without reading the article:
    “As soon as I found that there was a vulnerability I reported it to Virgin Media via Twitter. I didn’t get a reply despite the Virgin Media account being relatively active and tweeting other people. They responded once I gave a call to the central office in London Hammersmith about 24 hours after initial contact.”
    If we apply your example of a door being left open, someone walked in, accidently, as soon as they realised the door is open they told you that.
    I read the the original post and the guy clearly says that we was given permission to post an article.
    Nice defence of Virgin

    • Avatar Gordon

      “If we apply your example of a door being left open, someone walked in, accidently, as soon as they realised the door is open they told you that.”

      How do you accidentally walk through an open door??? You choose to either walk through an open door or just report it. You do not walk in go through everything then walk out and tell the person about it and expect a pat on the back.
      Perhaps someone that trespasses can use your expert opinion as a defense in court in future… Then again maybe not LOL

    • Avatar Data Analysis

      ‘How do you accidentally walk through an open door???’

      Blind and stupid like some of the responses maybe?

    • Avatar Chris P

      Just your responses DA.

      if he didn’t check the files he would not have known the seriousness of the issue and would have waisted his time and potential job opportunity moaning about this for nothing.

      you carry on regardless in your glass house though.

    • Avatar Data Analysis

      He didn’t have to open any other files as he clearly states “my personal information was exposed as well” he only had to open his file on the server (the one obviously at the time with no doubt the most recent accessed/modified date) to know more than within reason what each file in the same directory contained and that it was others information.

      He freely admits he did look at others information though. He is no different to some toe rag that may find a letter addressed to you or your wallet in the street with your name and address clearly and obviously displayed in an outer clear window. He then proceeds to rifle through the wallet or open the letter before giving it to you, just because he can not help himself and must know what it contains.

      A typical untrustworthy individual and that is why he is not getting the job.

    • Avatar Gordon

      You are trying to explain common sense, trust and morals to someone that has none. They will not get it.

    • Avatar FibreFred

      Sigh, more multi-id trolling spoiling the reputation of a decent website

    • Avatar Data Analysis

      Sigh more childish name calling trying to allude more untruths.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £18.00 (*22.00)
    Avg. Speed 30Mbps, Unlimited
    Gift: Code: HYPER19
  • Direct Save Telecom £22.95 (*29.95)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Origin Broadband £23.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Vodafone £23.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • SSE £23.00 (*33.00)
    Avg. Speed 35Mbps, Unlimited (FUP)
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2462)
  2. FTTP (2090)
  3. FTTC (1630)
  4. Building Digital UK (1573)
  5. Politics (1379)
  6. Openreach (1375)
  7. Business (1206)
  8. Statistics (1077)
  9. FTTH (1014)
  10. Mobile Broadband (1004)
  11. Fibre Optic (957)
  12. Ofcom Regulation (902)
  13. Wireless Internet (884)
  14. 4G (873)
  15. Virgin Media (842)
  16. Sky Broadband (585)
  17. EE (575)
  18. TalkTalk (563)
  19. Vodafone (497)
  20. Security (402)
New Forum Topics
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact