-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory Title =============== ARA-2018-004: No change of initial password required for jobbase.io Affected Product(s) and Environment(s) ======================================= Product: jobbase.io (Prescreen International GmbH) Environments: All browsers and operating systems Security Risk =============== Severity: Medium Vulnerability Type: Unprotected Transport of Credentials (CWE-523) CVSS v3: 4.6 ## Impact Confidentiality: Low Integrity: Low Availability: None ## Exploitability Access Vector: Adjacent Network Access Complexity: Low Privileges Required: None User Interaction: Required ## Scope Scope: Unchanged Remediation Level ================ Unavailable Timeline ======== 2018-11-02: Vendor Notification 2018-12-11: Vendor Fix 2018-12-20: Public Disclosure Description Summary ===================== The application management tool jobbase.io does not require users to change their initial password that is sent in an unencrypted e-mail. Product Introduction: ====================== "Prescreen is a cloud-based applicant tracking system that enables you to publish job vacancies online and offline and give candidates the opportunity to apply for jobs directly. Prescreen gathers all applications collectively, analyses the data and helps you with your evaluation. This makes time and labour-intensive processes more efficient." [Prescreen Website](https://prescreen.io/en/) Technical Description ====================== Job candidates using the prescreen web application for candidates (jobbase.io) receive a preset password for the website in an unencrypted e-mail. When they log on to the service, they are not required to change the initial password. Since the password is sent by e-mail, an attacker in the same network as the candidate or with access to the e-mail server can intercept the password and log on as the user for an unlimited time (until the user choses to change their password). Proof of Concept (PoC) ====================== The user receives an eight character password in an e-mail with the subject line "Ihr Passwort" after registering with a company's job board on .jobbase.io. An attacker with access to this e-mail (e.g. through intercepting the communication between e-mail servers) can log on to the account and get access to the sensitive data the candidate uploaded to the website (CV, photo, certificates, etc.) Solution ======== Instead of sending users their password, users should be able to set their own password during registration, or else a token with a short lifetime should be used for the initial login. References =========== [aramido responsible disclosure policy](https://aramido.de/blog/Sicherheitshinweise) Author ====== Armin Harbrecht, aramido GmbH E-mail: armin.harbrecht@aramido.de PGP-Key: https://aramido.de/armin.harbrecht.asc PGP-Fingerprint: E644 A4BD 7723 8620 FDA5 88C5 C483 060D 2B5F 83A0 Disclaimer =========== The information provided in this advisory is provided „as is” without any warranty. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the aramido web site. aramido GmbH disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. aramido GmbH or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if aramido GmbH or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Copyright ========== CC-BY-4.0 http://creativecommons.org/licenses/by/4.0/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJcG8SBAAoJEM5Pl4/4kex/LkEP/RjlfAhoBz/wBq1Hoh6CUZEi acFVQA8dNJVYPLBG4SJiAzrk3tWf4x9AbN1BEjCmGPUd+gS3RZj/MvESZTWvbAlu CiYtEl3FRIc7e9nYz8lO/3fdF5AAkSwbH+pZkFZmh/FpwAIb1Uin8HObT48DB0/h YlVmCI2jmd/02PqMS1utgo+k3rdUoRf6emqtgdvsJbXAOsfbjREBoEOa4CUnOapB EhMFK9yEMbeHkM983dvlnWTt8O0VZANsowC23tmT32VfSR1a/qeOiy35Xc/MJP1t lWF8FxJCwWJURqhQoyjKqnVgBh/Y82WopfFnHBh4NdGVF10HrFehR7Ocfj9EtLMf WyCI1jEBTzzOkRpurkKzop1WE/mUdKsws8s32d+uQsxLfKTRmETANNUXYCfXBwbu adbix81drNiP9mb5Gp3993lFfhlSJ/Qa520cRWSKrMHm00QKv0YzaNBF1+56V0F7 JN7/wJgn7BXtFArpn1lSKrDIGtEbzLPmpqn3Zk1mQ0GEzhuG2y2un0+JqnpL8g+P 8Awlno/X6PueZcIj0rjtlUBGgzGME1Fm+G7xH9F5vsJ723MC1PVoxQxmJ68S+/ZP ZnImF7TZfrztnF0/xjMu0tPkrfx61/tLja96mjTyaLqygo/ioilHwV8+XGYTsxli 8TS+16nw0JO+B8Ljbtmt =obCH -----END PGP SIGNATURE-----