A website for SAP’s Customer Influence programs is exposing member data, creating the possibility for targeted social-engineering attacks.
At the time of publication, the website is no longer accessible.
The programs are designed to help customers and long-standing users make suggestions to SAP about how it can improve its products and add new features. Ideas for future development can be submitted, debated, and voted on before being taken up by the German software giant.
SAP runs six main Customer Influence programs accessible via a website open to thousands of members. While users can view each other’s names, companies, proposals, and comments, those with knowledge of SAP’s back-end can easily get hold of more information, argues SAP consultant Tobias Hofmann in his blog.
The approach relies on access to the OData service that provides the data for the SAP Customer Influence. OData is the open data protocol used to communicate with the SAP back end via the SAP ABAP programming language.
Hofmann points out that using the OData service gives members access to more data about fellow members than the privacy policy allows.
“There are entities for groups, group members or identities… giving access to companies, their employees and detailed user information,” he says. “The service is not enforcing any kind of restrictions. It gives access to the whole list of entity sets and data. Allowing access to all information available by the service. No direct access to an entity [is] needed for searching. It’s like a database dump.”
Via the blog, Hofmann exposes how members could extract data from specific companies, including SAP itself, which offers 27,000 entries for SAP employees, although some may be duplicates. Searching for a specific senior executive, he reveals how a member could find an email address, MEMBER_ID and other personal information.
Although it may not be disastrous, the data available seems to go beyond the sensible design of such a system, he says.
“Passwords are not exposed, and you cannot use CI to log in as another user. So, it is not super bad. If it’s OK depends on how you feel about seeing your email and user ID exposed to thousands of CI users,” Hofmann says.
The information could be used by attackers for social engineering as colleagues can be found out through the groups entity. At the very least, it could lead to targeted spam emails that include valid information like a member’s last submitted idea, comment, or logon time, he points out.
There is no evidence such an attack or spamming campaign has been launched using the technique.
Hofmann reported the data leakage to SAP via official and back channels and told the firm he planned to write a post. He claims SAP simply told the site works as designed.
When we asked SAP for comment, it responded: “SAP takes security very seriously and we are vigilant about addressing security concerns.” ®