A hacker about to exploit an information disclosure vulnerability

Today's post aims to bring awareness on how companies might be leaking information on how themselves implement internal processes in such a way hackers could potentially gain access to unauthorized information, and all this is done by searching job descriptions on job search websites.

In web development, there are obvious physical limits that cannot be surpassed by normal human beings. A typical example is the amount of time required to become decent at a certain skill, be familiar with this or that software development framework, or learn a new technology stack.

I've done some research and here's a list of some hard skills on high demand in the web development industry in 2021.

  • HTML
  • CSS
  • Sass
  • Less
  • JavaScript
  • jQuery
  • AJAX
  • Angular
  • React
  • Redux
  • Next.js
  • Vue.js
  • Node.js
  • MongoDB
  • PHP
  • Symfony
  • Laravel
  • WordPress
  • Magento
  • Prestashop
  • Ruby
  • Ruby on Rails
  • Jekyll
  • Python
  • Django
  • OOP
  • MVC
  • Unit testing
  • Functional testing
  • Mocha
  • Jest
  • PHPUnit
  • Behat
  • GraphQL
  • SQL Server
  • MySQL
  • Git
  • Apache
  • Nginx
  • Azure
  • AWS
  • GNU/Linux
  • Vagrant
  • Docker
  • Kubernetes
  • SEO

For the sake of convenience in my attempt to dig deeper into security insights, let me consider a gross simplification to only say that, on average, a web developer would need four months of full-time work or study to actually learn any of the skills listed above.

If this is true, a good seasoned Symfony developer might well require 4 years to master PHP, OOP, MVC, Symfony, MySQL, Nginx, REST API and Docker, as well as some HTML, CSS, JavaScript and AJAX in exchange for a competitive salary.

In addition to the number of months you need to learn something new, there's also a limit on how many different things – areas of technical knowledge – can be potentially mastered at a time if taken into consideration The Magical Number Seven, Plus or Minus Two rule.

The Magical Number Seven rule is sort of a psychology framework developed by the cognitive psychologist George A. Miller suggesting the number of objects an average human can hold in short-term memory is 7 ± 2.

Web development is constantly changing at a fast pace. The Magical Number Seven rule makes perfect sense in my opinion since some items of the list will get deprecated while you're keeping your focus on a particular software stack for one or two years.

In a nutshell, and realistically speaking, it's three new things what you can learn per year, and it's seven different things what you can hold at a time; otherwise it is wishful thinking also known as a potential victim for hackers.

A directory of companies falling victims to hackers

It's broadly accepted there are 5 phases in hacking:

  1. Reconnaissance

  2. Scanning

  3. Gaining access

  4. Maintaining access

  5. Clearing attacks

The first one, Reconnaissance, consists in a hacker gathering information about their target by all imaginable means.

A few years ago while studying computer science, I learned that one of the first things a hacker would typically do at this stage is some sort of port-scanning with nmap, find out the operating system used by their victims, carry out OSINT analysis, and things like that.

But today, a hacker can also perform a job search on a website like LinkedIn, Glassdoor, Indeed, Monster, virtually on any job search site, and scan for possible vulnerabilities by studying how companies are recruiting software development staff.

There are plenty of unrealistic job descriptions.

Some skills are certainly transferable, and it is not the purpose of this article to disclose any particular information, but what would you expect from a company willing to hire senior developers who managed to master ten hard skills in only two years?

This might point out a lack of sense of reality in terms of how companies implement certain internal processes, and can definitely be exploited as long as this information, which is sensitive information in my opinion, keeps being exposed on job search sites.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor states the following:

There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker.

So, are you a spy looking for secrets to take?

Then go open your Tor browser, visit a job search site, and look for companies hiring developers with unrealistic expectations. Remember, there are human limits that cannot be surpassed.

The number of hard skills required for a software development job should always be about 7 so that developers can keep a focus and do a good job. As a really gross rule of thumb, no one can learn a new hard skill in less than, let's say four months, even though some skills are more easily transferable than others.

You may also be interested in...

Previous Post Next Post