Recruitment agency data security

Forums › Off topic › Recruitment agency data security

1 | 2

andrewNZ

2487 posts

Uber Geek
Inactive user

#2610707 25-Nov-2020 17:26

I emailed them last night asking them to remove my details and confirm that it was done. I had a confirmation email just before 9am saying it was done.

The link they provided earlier is still working, and displaying the details though.

I can't decide if I should harass them some more, change the details in the link to overwrite my data, or just ignore it and carry on.
Leaving it alone is probably the best option, but I don't have a lot going on right now, so winding them up would provide me with some amusement.

ANglEAUT

2320 posts

Uber Geek

Trusted

Lifetime subscriber

#2610740 25-Nov-2020 19:19

andrewNZ: ... The link they provided earlier is still working, and displaying the details though. ...

Try Incognito / Private mode with the same URL. Your browser could be caching the data.
Mailchimp & other mailing systems will have an internal database, separate from the business. It is possible that the mail system still contains your data, but they have removed your records from "the office file server"

andrewNZ: I couldn't immediately find a way of altering the url to access someone else's details, but I also don't understand how the url is constructed.
It looks to me like someone who knows how the url structure works would be able to manipulate it. ...

The url looks kind of like this: https://xxxxx.co.nz/?surveyId=a1b&hf=12345678&eId=12345678&utm_campaign=website&utm_source=Herefish&utm_medium=Email

Everything before the first ? should be a webpage you can access (https://xxxxx.co.nz/?)
The question mark starts the parameters chain (?surve)
Each parameter is separated by an ampersand (&)
&utm_* are parameters about the source / origin that brought you to this page
- utm_campaign=Nov-2020_email_push_to_update_stale_client_details
- utm_source=what_was_click_(image_or_link_in_footer_or_link_in_paragraph)
- utm_medium=email_or_website_or_partner_or_api_or_somethingelse
That leaves the other parameters to play with
- surveyId= Looks like meta data for the mailing system
- hf= could be more metadata or campaign related or related directly to you
- eId= Could this stand for employee Id? What happens when you change this value?
  - Warning: Changing these values & gaining access to other peoples data can be (& is in certain countries) considered hacking.
- ...= any other parameters you can decipher / guess?

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

andrewNZ

2487 posts

Uber Geek
Inactive user

#2610791 25-Nov-2020 19:32

BOOM!

If I change hf= I get someone else's data.

So, what is my next move? I can't allow this to carry on.

freitasm

BDFL - Memuneh
79270 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2610795 25-Nov-2020 19:41

I have contacted @andrewnz about this. I will temporarily lock this discussion.

mike

307 posts

Ultimate Geek

Trusted

#2610800 25-Nov-2020 19:48

That's bad.

You should skip the agency and contact the vendor directly https://herefish.com

(vendor disclosed in the utm_source)

andrewNZ

2487 posts

Uber Geek
Inactive user

#2610806 25-Nov-2020 20:10

I have provided @freitasm the link and asked him to forward the details to the to the proper people.

Thank you folks. I know it's not super sensitive data, but it's still pretty bad.
I'll bet there's going to be a LOT more of this as more businesses try to do everything digitally.

1 | 2