Programming errors on RideMatch.info allow hackers to access names, home addresses, phone numbers, commuting schedules, and employee ID numbers for the service’s users according to an article featured in The Register.
The RideMatch.info flaw provides inadequate scrutiny of user-generated text entered in search boxes and fields throughout the website. Hackers exploit the SQL injection vulnerability by passing commands directly into the back end database.
The vulnerability was identified and reported in August by Kristian Hermansen, a security researcher who was required by his employer to sign up for the service. His report to The Register stated, “The reason I am bringing this to your attention is that the issue is not being fixed by the admins and most companies don’t even know that their employee’s personal and corporate information may be been compromised.”
To date, the exploit has exposed hundreds of employees’ sensitive information across several organizations in S. California, including at least one military entity.
