Security Fail Exposed Details of Virgin Media’s UK Job Applicants

A security flaw in the third-party service that Virgin Media uses to process new job applications could have exposed the personal CV details of between 30,000 and 50,000 people to the Internet.

A student called Alikhan Uzakov discovered the problem while filling out an application form for the operator (like this one).

At this point he was offered the option to upload his CV, but the URL that this generated also revealed the name of a directory (folder) where his CV was being stored.

Alikhan Uzakov said:

“When I opened the directory I was able to see all past and present applications. This was a broken access control. In layman terms this means that access to certain data was allowed without authorisation. Think of this as if you want to withdraw money and the bank gives you money without any validation who you are, or if you have a debit card on you.

About 30,000–50,000 applications, past and present, were accessible. Personal information including telephone numbers, emails, where someone lives, and other details were out there in the open: my personal information was exposed as well. All this made me very concerned since what was happening violated the Data Protection Act 1998.

As soon as I found that there was a vulnerability I reported it to Virgin Media via Twitter. I didn’t get a reply despite the Virgin Media account being relatively active and tweeting other people. They responded once I gave a call to the central office in London Hammersmith about 24 hours after initial contact.”

The vulnerability has now been fixed and Alikhan had been hoping to get some public recognition, although Virgin Media later informed him that, “At the moment there is no programme to reward people for finding vulnerabilities … we can’t give you a preference over other candidates since it’s unfair.” However VM did proceed to thank him a number of times via phone and email.

A Spokesperson for Virgin Media said (Express):

“After a vulnerability on the third party company’s website was identified, the website was suspended and the issue is being fixed. The service will be resumed soon. Virgin Media’s systems were not affected in any way.”

Alikhan points out that, had he been someone with malicious intent, he could have done a lot more and might not have reported it at all. “The goal of [my] post is to promote more openness … companies should look into their security and maybe reward anyone who finds something wrong and reports it. Vulnerabilities should not be publicly disclosed until patched,” said Alikhan.

We assume that he won’t be getting whatever job he applied for, but it could always be worse (here).