A website for SAP Customer influence programs exposes member data, creating the possibility of targeted social engineering attacks.
At the time of publication, the website is no longer accessible.
The programs are designed to help long-time customers and users make suggestions to SAP on how to improve its products and add new features. Ideas for future development can be submitted, debated and voted on before being taken up by the German software giant.
SAP operates six major customer influence programs accessible through a website open to thousands of members. While users can see each other’s names, companies, proposals and comments, those familiar with the back-end of SAP can easily get more information, says SAP consultant Tobias Hofmann in his blog.
The approach is based on access to OData service that provides data for SAP Customer Influence. OData is the open data protocol used to communicate with the SAP back-end through the SAP ABAP programming language.
“There are entities for groups, group members, or identities… giving access to companies, their employees, and detailed user information,” he explains. “The service does not apply any restrictions. It provides access to the full list of entity sets and data. Allows access to all information available by the service. No direct access to an entity [is] necessary for research. It’s like a database dump.”
Via the blog, Hofmann outlines how members could extract data from specific companies, including SAP itself, which offers 27,000 entries for SAP employees, although some may be duplicates. By searching for a specific senior executive, it reveals how a member can find an email address, MEMBER_ID, and other personal information.
Although not disastrous, the available data seems to go beyond the sensible design of such a system, he says.
“Passwords aren’t exposed and you can’t use CI to log in as another user. So that’s not too bad. Hopefully it depends on what you think you see your email and user ID exposed to thousands of CI users,” Hofmann says.
The information could be used by attackers for social engineering purposes, as colleagues can be discovered through the groups entity. At the very least, it could lead to targeted spam containing valid information such as a member’s last idea, comment, or login time, he points out.
There is no evidence that any such attack or spam campaign was launched using this technique.
Hofmann reported the data leak to SAP through official and secondary channels and told the company he planned to write an article. He claims that SAP simply said the site is working as expected.
When we asked SAP for comment, they replied, “SAP takes security very seriously and we are vigilant in addressing security issues.” ®