Military personnel included in exposed group of carpooling employees
A website built to help commuters carpool to work is exposing sensitive information of workers for hundreds of employers in Southern California, including at least one military installation. The reason for the data breach was caused by programming errors in the website code.
The bugs, discovered on the RideMatch.info website enable hackers to easily access personal information such as names, home addresses, phone numbers, the times they commute to and from work, and in some cases employee numbers. According to a recent article published by The Register, the SQL injection vulnerability was still active 2 days ago, although it has been discovered two weeks before and reported to a developer who runs the website.
The issue has been discovered and reported bu Kristian Hermansen, a security researcher. Upon receiving a form to fill in by his employer, apparently a legal requirement for all employees, he investigated the website where the information was to be posted.
RideMatch.info is a joint project developed by transit authorities in five regional governments in Southern California. Each individual using the website enters work and home addresses and the time they leave from each. Based on the data, the website then teams them with others who live and work nearby and commute at similar times, thus providing an effective carpool matchmaking services. Too bad the same range of data can be accessed by any hacker willing to exploit the vulnerability!