Finding Security Design Flaw in a FAANG to later be ghosted by Recruiter: A funny Tale

itamargilad(.)com

This post is regarding a funny experience I had with one of the FAANG companies ( F: Facebook , A: Amazon, N: Netflix, G: Google) + Microsoft after a recruiter reached out to me for a potential role with the cybersecurity team. Obviously, I can’t reveal the timelines/ name of the org etc and this post is just a fun to read experience.

I am currently a graduate student in United States and actively looking for full time security engineering roles in Information security. Around this time, a recruiter reached out to me to ask if I was interested in a possible role and sent out a link, where I could schedule the slot according to their availability for a discovery call.

Now imagine this interface where a potential candidate can go through the available free time slots of the recruiter and can schedule a call . From my understanding and what I observed, the link sent by the recruiter has a preconfigured time limit for the slot(set by the recruiter) which a candidate can book at max. In my case, I was allowed a time slot of 15 minutes only to choose from any open slots.

If you are from cyber security background, you might be have guessed, what could go wrong here?

Yes, it was possible to bypass the max time limit set to tamper and increase the time slot value.

Browse to the recruiter url for meetup , GET /get-link?linkGuid=abcFill in general personal details.Used Burpsuite’s match and replace in Post response body to modify the 15 mins “duration” limit to 30 minutes .

4. The time slots are now manipulated and the candidate can book longer time slots and this also increase the duration in email reminder.

Although there is no external attacker here, the invited candidate can increase the meeting time limit with the recruiter. If you think from a impact / or business risk perspective , this issue would not be very high since the recruiter very well knows the time slot times and this can be only performed by the candidate itself.

But from the secure security design perspective, this application doesn’t enforce any server side validations and is susceptible to parameter tampering.

As a goodwill gesture , I reached back to the recruiter before our so called discovery call describing the issue in hand, and asked to forward these details to the security team and offered my availability for any inputs.

And I got ghosted after this :P

I wonder what would have happened if things panned out differently? Anyway, this story is also quite interesting and funny in itself.

Thanks for stopping by and reach out to me on Linkedin for anything.