Ipswich Unemployed Action.

Campaigning for Unemployed Rights.

Universal Jobmatch: Security Woes and Test jobs

with 20 comments

Ipswich Unemployed Action warns jobseekers about a very insecure job search website that is Universal Jobmatch, what is now known to extend beyond data security to your computer security.

Computer security at risk

The above is a job advertisement seen on Universal Jobmatch yesterday. There is a load of job titles named “qa” in London area.

What is so concerning about the above?

Well:-

  1. The company name is both “golive1” and “golive12” … surely these must be the same? This suggest the website that also yesterday, went down for quite a while may have been hacked. Alternatively, it may be an input feed, “internal testing” or perhaps the employer has two choices of names to call itself.. who knows.
  2. That rectangle shape with the scrollbars is an iframe (we will explain in a bit why this is worrying)

Luckily enough the iframe was a harmless website (one of the common newbie coding websites that also quite awful) but it could have been much worse. The rest of the job advert was copied and pasted into Google… and monster website through hundreds of pages came up… so its official text… we can assume this is a “proof of concept” test.

Universal Jobmatch security concerns

The reason why this is a big deal is that the website clearly doesn’t strip non-formatting HTML tags – so in theory could allow script, meta, object, iframe, and embed tags. (Also external loaded images using img tag is an additional privacy concern)

These allow you to add javascript (could redirect, cookie tracking or worse), VBscript if your computer is stupid enough to allow it, redirect browser to another website, load a flash video or applet (could contain exploit), load java applet (could easily be virus), another website (iframe… which in turn could load any of these tags) …

iframes

An iframe (<iframe … >) is an inline frame (thats what the i means). A frame allows two or more pages to be included in one physical browser page… doing so the pages in the frames can load separately and for example can mix static pages with dynamic pages. Frames used to be used for navigation (one frame would be the navigation and the other larger one the content page) and also for websites that link to others so you can have a top frame with a back button.

An inline frame (iframe) allows you to do this inside an existing page. Unlike Universal Jobmatch’s tracking images where the image loads a url with tracking variables stuffed in it… the iframe is superior (can be blocked by internet security software) as in addition to sending information, it can receive information… any webpage.

Major concerns with iframes

  1. Website hijacking
    If the iframe had a “breakout of frames” javascript code (just one line.. basic stuff) the jobseeker will be forced on to another website. Of course… using a modified code could allow redirection to any website including one mimicking universal jobmatch to steal your data, a website hosting virus or dangerous code or a porn website.
  2. Privacy
    The iframe can load up numerous cookies used to track you. Furthermore, when the page load (and any images) your computer sends numerous information to their web server including your IP address (effectively your computer’s house address)
  3. Phishing… inline
    The iframe could load up an minimal webform in the same style as directgov Universal Jobmatch requesting jobseekers personal data. The fact its on (and appears to be on) a secure (the padlock) Government website is reassurance your data is safe to be added. The submitted data could be used to steal your identity.
  4. Computer Security
    The iframe will load any website specified so this could crash your computer or browser, create numerous bookmarks, change your homepage, or download and execute a virus or spyware application. (I have to add I got done over the other month by some pretend AntiVirus software after visiting a website off Google.. you know.. pay to get your computer back! I had to unplug internet and reboot PC immediately into safe mode (loosing a lot of unsaved data in the process) via reset button as it wouldn’t let you shutdown or restart (or do anything for that matter)… was easy to remove, but worrying that it executed in the background of an up-to-date browser)

Full of expired, old and test jobs

Oh… and there is hundreds of test data jobs… including many old and expired jobs added to increase the numbers. Some jobs that were active on the old directgov website got migrated across… however, many more (and expired) jobs have since been added to increase the numbers. Anyone jobsearching on the Sunday and Monday (19th) would have noticed little amount of jobs available and most of which were migrated from EDon system (i.e. they had the LLL/NNNNN format reference)

Advertisements

Written by Universal Jobmatch

November 28, 2012 at 11:16 am

20 Responses

Subscribe to comments with RSS.

  1. Readers feel free to disclose any additional concerns with the Universal Jobmatch.

    if anyone is curious of the code to break out… (there are better ways of doing this, just an example)

    if (top.location != self.location) { top.location = self.location.href }

    (i.e. if page location (“top”) is different to iframe (“self” as code is in the iframe) location (“!” means “not”) change page location to iframe location)

    Universal Jobmatch

    November 28, 2012 at 11:36 am

  2. Yes tweeted about a similar qa job ad dated Today but no sign of the iframe etc was id 312403 I note it has gone now. Did notice those dated 11/11/2012 but did not look further wish I had now & screencapped.. DWP now definately monitoring tweets & websites trying to cover tracks over things like this. Test Job ads that have been there over a week are been busily removed as I type when I check 😉

    Dave Smith

    November 28, 2012 at 12:34 pm

  3. And if a jobseeker “failed to apply” for one of these “qa” jobs it would be an automatic sanction.

    Job Seeker

    November 28, 2012 at 1:20 pm

  4. PROOF THAT SOME VACANCIES ARE TEST VACANICES ON UNIVERSAL JOBMATCH.
    APPLIED FOR 3 OR 4 OF THESE IN DIFFERENT AREAS IE COLCHESTER IPSWICH DISS ETC. GOT ON SCREEN MESSAGE THAT I HAD ALREADY APPLIED FOR VACANCY. I HAD NOT. I TOOK THESE JOBS TO BE 3 – 4 DIFFERENT JOBS BECAUSE OF THE AREAS. LOOKS LIKE THEIR TRACKING HAS BACKFIRED

    LORD REITH

    November 28, 2012 at 1:42 pm

    • The jobcentre has always placed bogus vacancies on their “database” to trick and trap jobseekers into sanctions, so no change there then.

      Trip Trap

      November 28, 2012 at 2:10 pm

  5. Is there a complaint or comment form on the Universal JobMatch site we can use?

    karen

    November 28, 2012 at 2:04 pm

    • yes there was… but so many people tried to use it… which took the website down for hours LOL

      Universal Jobmatch

      November 28, 2012 at 6:24 pm

  6. VERY IMPORTANT: Note regarding ISP hostnames and IP addresses.

    Many ISPS are like this… if your IP address is 123.456.78.91 your hostname might be like this “91-78-456-123.isp-name.com” (IP in reverse order).

    If you with virgin media, and enjoying much faster speeds… this is a bigger problem…

    Your hostname will be like “cpc1-ipsw2-3-4-cust567.8-9.cable.virginmedia.com”.

    Notice 3 major parts:
    1) cable.virginmedia.com – tells we using broadband (not really relevant haha)
    2) “ipsw” – short for Ipswich… I assume they have a few main areas (1,2,3 etc.)
    3) “cust” – I assume is short for customer.

    I would assume the hostname stays the same even if the IP changes, therefore this is a good measure to track people – even if it changed slightly then the customer number will remain the same! (naming convention designed to easily resolve IPs to customers in abuse claims (i.e. copyright/filesharers, law breakers etc.))

    Who knows? perhaps the DWP will abuse social security laws requesting the ISP hand over information on address? (Goes for all ISPs)

    Universal Jobmatch

    November 29, 2012 at 12:16 pm

  7. The bigger issue than a few test jobs which are obvious is that there is virtually zero checking of employers or jobs. Anyone can set up a free email account and register as an employer. They check that you have given a valid postcode and something that resembles a phone number, but you don’t have to own the address or the phone number. So you can easily register as, say, Barclays Bank with a gmail email address and your own mobile or a PAYG one. Or just make up a phone number as Monster who run the service for Jobcentre Plus don’t actually call it. As long as you can pick up the validation email from Government Gateway, you are a trusted employer. Then you can place adverts which again they don’t bother to check apart from some rudimentary automated checking (and the muppets have posted the vacancy checking rules online as well if you check the contract documents on the Contracts Finder web site). Anyone then applying for the jobs would have no idea that they are giving their details over to a potential fraudster. You can even send them to your own web site to apply for the job, so if you set up http://www.barclaysrecruitmentservices.com (for instance) you could easily make it look like they were dealing with the real company.

    On the old site (which wasn’t much good either) at least the first job placed was checked by a real person, and the employer advisers in job centres were involved with all vacancies for their area. In this drive for cost savings, Jobcentre Plus has taken the human element out and replaced it with a useless IT system from a US job board Monster. And they have just announced (quietly so nobody notices) that they paid them an extra £1.5 million above the original price so they could do more “assurance testing”. Money well spent.

    If you think any of this is made up, ask yourself why someone managed to register as “Secret Intelligence Service” aka MI6 using a hotmail account?

    Secret Squirrel

    November 29, 2012 at 12:54 pm

    • Well they used to check the first few new vacancies (from my experience) removing links etc. although they never verified the business exists or whether its a registered employer.

      They post you out a Government Gateway id (only if registering for EDon panel) but in this day and age it is not even tricky for getting a temporary address.

      Universal Jobmatch

      November 29, 2012 at 5:06 pm

    • Oh… and you think they would have an automated list of banned organisations (i.e. names of Government Departments etc) – as this is severe, we all call it MI6 but its actually officially titled S.I.S (like you stated).

      Even if they didn’t know how to achieve this they could have modified code online for a word censor. Not even bothered about DEFRA etc but if you cannot stop people registering up as any security service… shows a major issue.

      This is only half the issue… most jobs on the new site are from mass-imports and “Job Warehouse”… are clearly fake…

      Universal Jobmatch

      November 29, 2012 at 5:11 pm

  8. Trying to log-in to Universal Jobmatch but keep getting:

    Page error
    Error notice

    An error has occurred on the site, this issue has been logged. Please go back and try again. If the problem persists, please contact us.

    and can see this in the browser address bar: Microsoft.IdentityModel.Protocols.Saml2.MessageValidationException

    I spent the best part of yesterday and am still trying to sign up today, even the library staff don’t know what to do. This UJ stinks, don’t know what is going to happen when jc pulls me up for not registering. At least with a newspaper you can open the thing, rad the vacancies and apply for the jobs!

    Frustrated - can't sign up to UJ - fear sanction

    November 30, 2012 at 2:06 pm

  9. I got the same, our WPP’s computers don’t let you register or log in at UJ. Then told JSA under threat of stoppage for being unable to do so.

    something survived...

    November 30, 2012 at 7:16 pm

  10. Universal Jobmatch is NOT compulsory and any Jobcentre staff that pretend it is could be guilty of “official misdirection”:

    http://www.pcs.org.uk/en/department_for_work_and_pensions_group/dwp-news.cfm/id/D34395B0-26B7-4E67-81B32F80CFEBB3E8

    Argurious

    December 4, 2012 at 2:30 pm

    • Yes – good to see C4 news on the ball. If only the other channels, especially bbc, had half their gumption and courage the public would be more aware of what this farce of a government is perpetrating,

      Gissajob

      December 6, 2012 at 9:06 pm

    • Well done Channel 4 for your crappy non-journalistic attempt at scaremongering.

      You see.. although I am glad this has been highlighted (by the media – this site and many others have raised this long ago – no attribution though)… and I have concerns over Monster’s security after past hack attacks… however, I feel it must be reported accurately.

      1) These people are not hackers (or crackers). Creating an email address and posting a job vacancy to obtain people’s details is not hacking.

      2) The woman was clearly clueless about the site and briefed – job site… job search site…

      3) Its not a loophole. There simply is NO security as per “employer” or job advert. It wasn’t an API hack – getting higher privileges or bypassing security by an alternative method.

      4) Those who volunteer scans of their passport deserves ID theft… I mean really. You wouldn’t give a stranger on the street your passport (not like they can personally use it – without modifications anyhow) so why would you scan it to give to a stranger that you don’t even know anything about?

      5) The article clearly highlights Ipswich Unemployed Action’s concerns… with a brief experiment to report it. The list of data for ID theft was purely indicative and I doubt many (if any) actually sent scans of passport and driving licence etc. or anything outside data on a CV.

      Universal Jobmatch

      December 6, 2012 at 10:59 pm

      • They had contacted Ipswich Unemployed Action before the progamme.

        I was out when the Channel Four news was on.

        Did they mention the material here?

        Andrew Coates

        December 7, 2012 at 10:16 am

      • Do you know what agenda 21 is? if not find out. and its implications of freedom of speach and privacy.

        Mark

        March 3, 2013 at 12:07 pm

  11. how do i delete my posted comments

    joyce

    April 2, 2013 at 10:42 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: