How I found a vulnerability at Virgin

I am currently applying for jobs. Whilst I was filling out an application form for Virgin Media, I was offered the option to see my uploaded CV. What happened was quite surprising, the URL revealed a directory (folder) where my CV was stored. When I opened the directory I was able to see all past and present applications. This was a broken access control. In layman terms this means that access to certain data was allowed without authorisation. Think of this as if you want to withdraw money and the bank gives you money without any validation who you are, or if you have a debit card on you.

https://twitter.com/virginmediajobs/status/786482092033007616

About 30,000–50,000 applications, past and present, were accessible. Personal information including telephone numbers, emails, where someone lives, and other details were out there in the open: my personal information was exposed as well. All this made me very concerned since what was happening violated the Data Protection Act 1998. As soon as I found that there was a vulnerability I reported it to Virgin Media via Twitter. I didn’t get a reply despite the Virgin Media account being relatively active and tweeting other people. They responded once I gave a call to the central office in London Hammersmith about 24 hours after initial contact.

Data Protection Act agreement

After speaking to a security engineer on a Friday at 21:00, I walked him through step-by-step and explained to him what the problem was and how to solve it.

Virgin resolved it, but unfortunately despite talks of some sort of recognition for my work, I was informed the following Monday I would not receive a reward nor public recognition. Virgin told me: “ Virgin will not comment on this”, “At the moment there is no programme to reward people for finding vulnerabilities”, “We can’t give you a preference over other candidates since it’s unfair”. They did however said thank me a number of times on the phone and via emails.

The problem is patched now but had I been someone with malicious intentions, I could have done a lot more and might not have reported it at all. Maybe we should try to promote a more open approach where people are being rewarded for good actions and public recognition through open media rather than trying to hide the fact that sometimes we all make mistakes.

EDIT 1 ( 23rd of October 07.38)

Just wanted to clarify the vulnerability has been patched(a while ago) and I am writing this afterwards. Also I did receive a thank you from them number of times on a phone and by email.

Virgin Media were told by me long beforehand that I would like to write a blog post. I was told there will be no comment issued from them.

The goal of this post is to promote more openness and try to suggest to companies should look into their security and maybe reward anyone who finds something wrong and reports it. Vulnerabilities should not be publicly disclosed until patched and spoken about publicly disclosing them.

The post was not made to promote against Virgin Media. I applied there, why would I apply for a job at a company if I didn't want to work there? I respect Virgin Media and I still have their VR glasses given to me at job fair :)

EDIT 2 (23rd of October 19.30)

WOW

Also someone posted a link to my article, which hit 265 upvotes on r/tech

https://www.reddit.com/r/tech/comments/58vt6x/vulnerability_in_virgin_media_website_exposed/

EDIT 3 (24th of October 21.59)

Just hit 5k wow

5

Also IB Times wrote an article about this story:

EDIT 4 (1st of November 14.17)

Here is a list of all news agencies who covered the story

Also 306 shares on Linkedin