SAP users have been warned that the vendor's web-based e-recruiting applications could be exposed to cyber security breaches.
The caution comes as security provider Bowbridge Software - a long-time alliance partner of SAP - selected 120 businesses using SAP E-Recruiting application to run random tests to see if proper security measures were being adopted to protect the application.
One of the critical findings was that 52 per cent of the systems tested did not prevent the upload of malware, with three critical areas tested: transport layer security; registration process and uploading of attachments.
E-recruiting collects personal data by default, with the study revealing that 81 per cent of the implementations we tested did default to the use of SSL encryption. However, over 30 per cent of the tested sites allowed SSL encryption to be bypassed by simply changing the URL protocol from https:// to http://.
Delving deeper, less than 12 per cent of the systems tested required users to confirm the email address, making such portals easy targets, while a total of 38 per cent of the systems required the passwords to meet minimum requirements for length or complexity.
Almost 60 per cent of the systems notified users of restrictions on the types of files allowed to be uploaded and some 30 per cent of the portals did not implement any filtering or restrictions whatsoever on the types of files accepted by the application.
According to findings, this means that a third of applications and its users are exposed to a wide range of file-based threats.
"More than 60 per cent of the systems we tested allowed uploading of arbitrary files as soon as the extension was changed to one on the list of allowed extensions," the report stated.
Breaches through the upload of HTML with embedded JavaScript were also revealed, with 31 per cent of the systems allowing the upload of plain JavaScript files.
Furthermore, systems were also found to allow the upload of Java Archives (.jar files), Flash, Silverlight, Office documents with macros in the old format (CDF, preOffice 2007) and documents with macros in the new format (OOXML).
Systems that allowed the uploading of Windows executable (.exe) files totalled 29 per cent and over 30 per cent allowed DOS executables (.com) files and shared libraries (.dll) to be uploaded to the SAP data store - the list also includes PDF files, XML and XSLT, and more.
“While we only tested the E-Recruiting application, these results can certainly be applied to any web-based SAP application that companies are using,” Bowbridge CTO Jörg Schneider-Simon said. “By failing to secure their SAP applications, businesses are taking an enormous risk not only with their data, but with their very future.”
Schneider-Simon assured customers that all tests were completely non-intrusive.
"No attack scripts were used, no real malware was uploaded to any target system, and any test files that were uploaded were also removed from systems," Schneider-Simon explained. "In systems where a candidate registration was required, the dummy candidate profiles (“John Doe”) were deleted after the tests were completed, if the system allowed it."
SAP recommends all its customers to securely configure their systems and implement SAP security patches as soon as they are available.
The German software vendor said during its Leonardo Live event that its AI efforts, still at an early stage, can probably automate 40 percent of the jobs today across the globe.
