Jobvite Recruitment Service Website Vulnerable to Hackers
Jobvite, a recruiting platform for the social web, is found vulnerable to the most common, but critical web application vulnerabilities that could allow an attacker to compromise and steal the database of the company's website.

Jobvite is a Social recruiting and applicant tracking created for companies with the highest expectations of recruiting technology and candidate quality. Growing companies use Jobvite's social recruiting, sourcing and talent acquisition solutions to target the right talent and build the best teams.

An independent security researcher Mohamed M. Fouad from Egypt, has found two major flaws in Jobvite website that could be used by an attacker to comprise the company's web server. As a responsible security researcher, Fouad also reported the critical flaws three months ago to the Jobvite team, but the company didn't fix it till now.

According to Fouad, Jobvite is vulnerable to Boolean SQLi (SQL injection) and LFI (local file inclusion) vulnerabilities, which he found was one of the best security vulnerabilities he has ever discovered.

SQLi or SQL injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. The attackers take advantage of improper coding of your web applications that allows them to inject SQL commands into, say, a login form to allow them to gain access to the data held within your database.

Mohamed told The Hacker News that SQLi vulnerability in the Jobvite website allows him to gain access to the company's website database which includes the confidential data of its admin users (jobvite employees) along with their emails, hashing salt and hashed passwords.

LFI or Local File Inclusion is a type of vulnerability most often found on websites that allows an attacker to include a local file, usually through a script on the web server, which occurs due to the use of user-supplied input without proper validation. This can lead to code execution on the web server or on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS), Denial of service (DoS) and Data theft or manipulation.

Using Jobvite LFI vulnerability an attacker can get access to the critically important files stored on the web server i.e. /etc/passwd or /etc/hosts. Fouad used the LFI flaw which allowed him to view all the company's LINUX server user accounts exists.

According to Fouad, the company has not given any acknowledgment regarding SQLi flaw, neither has fixed it yet, that left Jobvite CMS database vulnerable to hackers.
When The Hacker News asked Fouad about the fixes, he replied, "I think they fixed LFI because it's not working now but during my attack I got all LINUX USERS. But The site is still vulnerable to the SQLi vulnerability."
"I approached the company 6 times during the last 4 months but I got no reply specifically from "Mahesh," the security consultant, Jobvite security. I dont know what about their plan for SQLi fix but the last reply was 4 months ago," he added.
Fouad believes that this critical vulnerability may also impact Odesk website due to the integration between them but he is still investigating the issue.

Jobvite's CTO 'Adam Hyder', told The Hacker News that the website is using "SilverStripe" an open source CMS to hosts Jobvite marketing content only.

"Our corporate site does not contain any application or customer data. Jobvite application and customer data are completely secure." he said.

But SQL Injection vulnerability in the SilverStripe CMS exposes the jobvite login employee's credentials to an attacker.

SilverSprite told researcher that the SQLi vulnerability exists in the Jobvite's website because of their own custom codes, not originated from default CMS.
The Hacker News

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.