On a job application site for my local government it reveals if a specific social security has been used or not on that site. The site is very outdated.

  • thenumbernine@infosec.pubEnglish
    6·
    5 hours ago

    This is CWE-204, there are loads of big companies that don’t care about this. Netflix is one of them where you can enumerate registered users email addresses from the login screen.

    If you want to report this to them you can check if they have a security.txt file at https://domainhere/.well-known/security.txt where they should list the contacts to their security team.

  • foodandart@lemmy.zipEnglish
    651·
    13 hours ago

    001-05-1120 was the number on the fake SS cards that used to be the inserts in wallets that had a clear plastic window for your ID. It is actually a number that the SSA set aside for advertising.

    I use it where any business requires a SS number to get services.

  • stoy@lemmy.zipEnglish
    702·
    14 hours ago

    Here is a reminder for all US citizens.

    Your social security number is simply a serial number with zero checksums or any logic built in.

    If you want another valid social security number you can simply pick a number before or after your own.

    The social security number was never designed to be a general ID number, and should not be used as such.

    • PriorityMotif@lemmy.worldOPEnglish
      171·
      14 hours ago

      We’ll see if I get there, I obviously used a phony ss number because f that. I also have zero professional it experience, just homelab stuff, building PCs running a lemmy instance, that kind of stuff. I know I can do the job, it’s just hard to get your foot in the door. I’m considering getting CompTia Network+

      • nymnympseudonym@piefed.socialEnglish
        211·
        14 hours ago

        Using a fake ssn on a job application is profoundly counterproductive.

        If you don’t trust them with your ssn why are you applying

        When they try the standard background check and find you lied they will have no interest in you

        • PriorityMotif@lemmy.worldOPEnglish
          74·
          14 hours ago

          Would you hire someone for it if they willingly put in their SSN to a random sketchy, unsecure looking website? I have never had another online application ask for that.

          • gtr@programming.devEnglish
            3·
            5 hours ago

            This is correct. It could even be part of the application process. I would write them an email that the obvious fake one didn’t work and you’ll not put your SSN on that site for security concerns. Especially not in the application phase. If they reject you for that you have dodged a bullet.

          • Davel23@fedia.io
            17·
            13 hours ago

            I can assure you they are far more interested in your ability to follow instructions than they are in your online hygiene.

              • nymnympseudonym@piefed.socialEnglish
                5·
                13 hours ago

                Maybe they’re a local government, they inherited this undocumented unmaintained system and really need help? Sounds like that’s what’s happening here.

                It would be different if the application was for a dodgy online make money from home setup

          • y0kai [he/him]@anarchist.nexusEnglish
            1·
            7 hours ago

            I have the A+ and am already scheduled for the Network+ test. I still consider myself quite the noob, but am learning a lot. I will look into the CCNA, as you’re not the first to mention it to me. Next on my list was Security+, however. At this point, I just want any entry-level job in IT. Or fuck… almost any job at all. Going on 6 months of unemployment here.

  • Rhaedas@fedia.io
    7·
    13 hours ago

    Never give any info in a security error. Just say there was an error. Goes right along with the rule to sanitize any and all input. Trust no one and nothing.

  • Hello_there@fedia.io
    5·
    12 hours ago

    Depends on the size of the agency. You can already guess a SSN based on the range of numbers used. If you were targeting the youngest or oldest person at a small agency you could probably get a high percent chance of getting a match.

    • PriorityMotif@lemmy.worldOPEnglish
      2·
      12 hours ago

      True, but this is all applicants as it’s a third party website. So likely not a huge issue, but it does lead me to believe there are other issues with their data handling.

      • Hello_there@fedia.io
        1·
        8 hours ago

        Wonder if that record of ssns that its checking against is encrypted. That seems harder so maybe that’s a step they skipped?

  • Nate Cox@programming.devEnglish
    4·
    13 hours ago

    I’m not sure how dangerous that is. They’re not coupling that warning with any other data, so all you know is that a social already exists in that system. I don’t see a way from the screenshot to gather more info around the social.

    I guess if you already knew someone’s social you could query to see if they’re in the system?

    Seems like they’re trying to be helpful by telling you that you already have an account, but even if this turns out to be completely safe I still wouldn’t have provided that warning just in case. “Something happened please call us” seems wiser.