HACKER Q&A
📣 etxm

Security vulnerability discovered during interview


I was recently on an interview where the team pair programs on real code as the “engineering challenge.”

During the interview we were working on a feature and I noticed what appeared to be a session fixation vulnerability where - and I kid you not - the session ID is the user’s email.

The product allows you to upload/download files to the user’s account.

I pointed it out to the engineer and the response was that it “was fine” because _they_ only cared about certain files and if other stuff ended up there it didn’t matter. I pointed out you’d be able to also _read_ any files (which are sensitive reports) and was told “you’d have to know the file name to download them.”

The file names are trivial to guess given you are familiar with the site.

While this isn’t a feature that could be exploited to take over a host, it could allow free file hosting, huge costs (if one kept uploading large files), and a potential data breach of sensitive customer information.

I am _not_ a security research or a colored hat wearer of any sort.

What would you do in this scenario?

  👤 hrgiger Accepted Answer ✓
No matter how your interview experience is, keep it professional and drop them an email via an official channel, if possible include also interested parties informing them "Hey during the interview we faced issue X and I raised my concerns but it was bugging me, so to make sure I am dropping you an email with the below details, since double check better than to be sorry". Maybe recruiter was in hurry during interview and didnt give enough attention or maybe another candidate heard the vulnerability or the worst case scenario in future someone in luck found same weakness but used to damage company, instead of bothering yourself, let them deal with it.