Universal Jobmatch: Security Woes and Test jobs
Ipswich Unemployed Action warns jobseekers about a very insecure job search website that is Universal Jobmatch, what is now known to extend beyond data security to your computer security.
Computer security at risk
The above is a job advertisement seen on Universal Jobmatch yesterday. There is a load of job titles named “qa” in London area.
What is so concerning about the above?
- The company name is both “golive1” and “golive12” … surely these must be the same? This suggest the website that also yesterday, went down for quite a while may have been hacked. Alternatively, it may be an input feed, “internal testing” or perhaps the employer has two choices of names to call itself.. who knows.
- That rectangle shape with the scrollbars is an iframe (we will explain in a bit why this is worrying)
Luckily enough the iframe was a harmless website (one of the common newbie coding websites that also quite awful) but it could have been much worse. The rest of the job advert was copied and pasted into Google… and monster website through hundreds of pages came up… so its official text… we can assume this is a “proof of concept” test.
Universal Jobmatch security concerns
The reason why this is a big deal is that the website clearly doesn’t strip non-formatting HTML tags – so in theory could allow script, meta, object, iframe, and embed tags. (Also external loaded images using img tag is an additional privacy concern)
An iframe (<iframe … >) is an inline frame (thats what the i means). A frame allows two or more pages to be included in one physical browser page… doing so the pages in the frames can load separately and for example can mix static pages with dynamic pages. Frames used to be used for navigation (one frame would be the navigation and the other larger one the content page) and also for websites that link to others so you can have a top frame with a back button.
An inline frame (iframe) allows you to do this inside an existing page. Unlike Universal Jobmatch’s tracking images where the image loads a url with tracking variables stuffed in it… the iframe is superior (can be blocked by internet security software) as in addition to sending information, it can receive information… any webpage.
Major concerns with iframes
- Website hijacking
The iframe can load up numerous cookies used to track you. Furthermore, when the page load (and any images) your computer sends numerous information to their web server including your IP address (effectively your computer’s house address)
- Phishing… inline
The iframe could load up an minimal webform in the same style as directgov Universal Jobmatch requesting jobseekers personal data. The fact its on (and appears to be on) a secure (the padlock) Government website is reassurance your data is safe to be added. The submitted data could be used to steal your identity.
- Computer Security
The iframe will load any website specified so this could crash your computer or browser, create numerous bookmarks, change your homepage, or download and execute a virus or spyware application. (I have to add I got done over the other month by some pretend AntiVirus software after visiting a website off Google.. you know.. pay to get your computer back! I had to unplug internet and reboot PC immediately into safe mode (loosing a lot of unsaved data in the process) via reset button as it wouldn’t let you shutdown or restart (or do anything for that matter)… was easy to remove, but worrying that it executed in the background of an up-to-date browser)
Full of expired, old and test jobs
Oh… and there is hundreds of test data jobs… including many old and expired jobs added to increase the numbers. Some jobs that were active on the old directgov website got migrated across… however, many more (and expired) jobs have since been added to increase the numbers. Anyone jobsearching on the Sunday and Monday (19th) would have noticed little amount of jobs available and most of which were migrated from EDon system (i.e. they had the LLL/NNNNN format reference)