USAJobs has no significant security risks, say auditors
Security auditors examining USAJobs, the federal government job vacancy announcement website managed by the Office of Personnel Management, say the site doesn't appear to pose any significant risk to the agency or its users.
In a OPM office of inspector general report (.pdf) dated July 26, auditors say they found no critical vulnerabilities but managed to uncover three high-severity vulnerabilities and a concern with the overall topology of the application.
The last issue has to do with the USAJobs public website sharing a network address with the private and local data center environment. The lack of segregation, auditors say, lends itself to a high probability of data leakages, unauthorized access to sensitive data, or conflict of interest between the development team and the production environment.
OPM officials told auditors that USAJobs was designed as a multitiered application that includes a web front-end, an mid-level application tier and the backend database. They're separated across logical networks and have firewalls between them, they said.
However, auditors say the firewall is adequate to protect from external threats, but not from internal ones.
As for the high-severity weaknesses, two were code injection vulnerabilities. A review of source code found that two pages were vulnerable to a cross-site scripting attack, activation of which would require an attack to send users a phishing email containing a link with malicious code attached. The other code-injection vulnerability was an XML injection in the USAJobs iOS app.
The final vulnerability was a parameter-based redirection weakness in which an attack would utilize phishing to trick a user into following a URL to a malicious website, auditors say.
Auditors note in the report that OPM has remediated many of the vulnerabilities found in the course of their assessment.
- download the report, 4A-HR-OO-12-037 (.pdf)