IMPORTANT context about this discovery– This vulnerability was discovered by SafeBreach Labs when our researcher came across PII data and a security token in a public repository. When this finding and its potential impact was shared with the HiBob team, we were informed that a very small subset of their customers (six) had opted-in to allow their org chart to be exported outside the HiBob portal. However, a security token misconfiguration caused some PII data (email addresses) and some additional information (full names, roles, and reporting relationships within the organization) to be appended to the exported organizational chart. When SafeBreach made this issue known, the HiBob security team quickly fixed it.
As part of our ongoing commitment to conducting original research and maintaining an up-to-date Hacker’s Playbook, the SafeBreach Labs team is dedicated to uncovering new threats. My recent research focused on searching for vulnerabilities and design issues in the API security domain in line with this objective. As a result, we discovered a security vulnerability in the popular HR information system (HRIS) platform called HiBob.
This research summary aims to provide an outline of the tactics I used to find the vulnerability, highlight its specific details, the potential risks it posed, and the prompt actions undertaken by the HiBob security team to address and resolve the issue effectively.
Discovering the HiBob Vulnerability
During our routine vulnerability research, we stumbled upon an alarming finding related to the HiBob domain within Google’s VirusTotal platform. Upon further investigation, it was revealed that certain URLs associated with the HiBob domain, app.hibob.com, contained security tokens, which, when extracted, provided access to the entire organizational tree of the associated HiBob customer. Put simply, this exposed some stored PII data (see below for details) for every active employee listed on the organizational tree. (Note – We decided not to share tokens in this blog to avoid future unauthorized access. All relevant information was shared directly with the HiBob security team.)
During the course of our research, we were able to replicate our query and identify a few instances of other HiBob customers with exposed tokens. It is important to note that our research did not involve an extensive search, and there may be other HiBob customers (who opted-in to export their organizational chart outside the HiBob portal) who were exposed prior to the fix.
Here are some examples of URLs we identified that contained public tokens:
While this vulnerability didn’t expose highly sensitive information like salaries, physical addresses, or social security numbers, it did expose full names, email addresses (PII), roles, and reporting relationships within the organization. Gaining access to this information could potentially allow a threat actor to further exploit victims by leveraging highly-targeted spear phishing emails. By gaining knowledge of the full organizational structure, a threat actor could leverage targeted attacks to steal login credentials, impersonate users, and even execute secondary business email compromise (BEC) attacks, or worse – gain unauthorized access to organizational crown jewels.
Important note about the image above – This is a sample result of our VirusTotal query. Please note that the majority of the identifiable data (including PII information like last name and email address have been obfuscated)
Official Response from HiBob
“In March 2023, HiBob released a new Org Chart design. Among the many new features was the ability for authorized Bob administrators to generate a public link to the org chart that would dynamically display the names and titles of company managers. This feature was requested by HiBob customers who wanted to share real-time staff information with their Board or to share the org chart on company portals.
On Tuesday, May 30, 2023, SafeBreach, a HiBob customer, notified HiBob about a software security weakness in the exported public Org Chart that could potentially reveal the work email addresses of managers to people with data scraping tools. After verifying the issue, HiBob’s R&D team immediately fixed the bug and notified the six affected customers. It is important to note that the issue was neither a data leak nor a breach, and at no time did HiBob make any customer data publicly available. The public sharing of names and titles in the Org Chart was knowingly done only by customers that had business reasons to do so.”
Case Studies: Start-up Giant and Mid-sized Enterprise
To try and identify the level of exposure, we created a simple VirusTotal query that allowed us to identify all URLs containing the public token within the last three months. The results of this query were truly shocking. We were able to gain sensitive tokens for a start-up giant (valued at over $1 billion) and a mid-sized enterprise with over 500 employees. If a threat actor had gained access to these tokens, they could have potentially compromised the security and privacy of the affected organizations. This research highlights the urgent need for robust security measures to safeguard employee data and protect against emerging cyber threats.
The Importance of Proactive Security in Protecting Data
SafeBreach is passionate about enhancing security on a global scale. Our dedication to openly sharing vital discoveries serves as a constant reminder of the evolving threat landscape. It also emphasizes the significance of proactive measures in protecting valuable and sensitive data. Not only did we discover the vulnerability, but we also recommended that the HiBob security team limit the token validity time and remove potentially exposed PII data from being further accessed by the query. We take pride in our responsible disclosure practices and the swift response the HiBob security team exhibited. Thanks to their prompt action, the potential hazards linked to the exposed security token were swiftly and effectively mitigated.
This incident highlights the need for continuous evaluation and enhancement of security measures to protect against emerging threats. It also underscores the importance for organizations that handle sensitive data to practice good data hygiene and be extremely cautious when sharing that information. A leak regarding data of this nature is a prime tool for spear phishing. As users of digital platforms, it is crucial for individuals and organizations alike to remain vigilant and stay informed about security vulnerabilities. By fostering a culture of responsible disclosure and prompt remediation, we can collectively contribute to a safer online environment. Thank you, HiBob team, for setting an excellent example.