Programming errors on RideMatch.info allow hackers to access names, home addresses, phone numbers, commuting schedules, and employee ID numbers for the service’s users according to an article featured in The Register.
The RideMatch.info flaw provides inadequate scrutiny of user-generated text entered in search boxes and fields throughout the website. Hackers exploit the SQL injection vulnerability by passing commands directly into the back end database.
The vulnerability was identified and reported in August by Kristian Hermansen, a security researcher who was required by his employer to sign up for the service. His report to The Register stated, “The reason I am bringing this to your attention is that the issue is not being fixed by the admins and most companies don’t even know that their employee’s personal and corporate information may be been compromised.”
To date, the exploit has exposed hundreds of employees’ sensitive information across several organizations in S. California, including at least one military entity.
The Ride Match website is a joint project between five regional transit authorities. The service pairs commuters based on home and office destinations as well as departure times. The Riverside County Transportation Commission, an agency responsible for the website, reported to have reached out to the Trapeze Group (a Canada-based development company that designed the software) right after the vulnerability was reported.
Once identified, SQL injection vulnerabilities can often be patched by changing a line or two of code, but The Register spoke to a Trapeze spokesperson on 9/8, and at that time she was unaware of any security bugs being reported on the software. She promised that any vulnerabilities brought to their attention would be investigated and resolved.
This entry was posted on Tuesday, September 15th, 2009 at 9:00 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
