191,000 email addresses leak from Avito resume
About a week ago, when I was googling an unknown number (from missed calls), I suddenly came across it in the output as a PDF file from Avito, which gave an error when I clicked on a direct link, but got into the cache. It looked something like this:
General view of the link: "m.avito.ru/[Address address] / export / pdf".
')
Everything can be found on the request: “site: avito.ru inurl: export / pdf” ( Google , Yandex ).
If Google promises 191,000 results (actually shows about 640, the output restriction seems to work), there are only 152 responses in Yandex and the cache is not available explicitly (but the addresses themselves can be easily pulled out with slightly modified queries like “site: avito.ru inurl: export / pdf mail .ru »). The message period is somewhere from August to November of this year.
The official response of the company:
So this is our problem with you, that the company allowed our data to leak into the public network, everything is fine.
Judging by the fact that the issue of a resume (and obviously not all), I can assume that Avito has some access for companies and their recruiters to the database of the resume with the possibility of export. Moreover, in the agreement Avito has left itself the opportunity to transfer this data to third parties:
But besides these points there are those where Avito undertakes to keep this secret:
On November 23, I sent a support request with a description of the problem, I was answered with two standard replies: “Thank you for contacting Avito Support” and “You will be checked at your request”. I think a few days should have been enough to fix the robots.txt and clear the issue? Unfortunately, no security contacts or administrators could be found. Then I contacted the official resource group VKontakte, duplicating the problem, you see the answer above.
I hope the company will pay attention to the problem in the near future.
UPD 28.11 : Avito is not responding at all, I am cleaning my cache on my own .
UPD 30.11 : TheYandex issue was almost cleared, only 3 results (again all 152 results returned, apparently there were some temporary problems in the issue), while Google now looks for “only” 185,000 results.
UPD 01.12 : Vkontakte answered again, waiting for the results:
UPD 08.12 : Everything is clean, both in Google and in Yandex. It produces 1-3 results, but without a copy in the cache.
UPD 14.12 : Google has 137,000 results with a cache, Yandex is empty.
General view of the link: "m.avito.ru/[Address address] / export / pdf".
')
Everything can be found on the request: “site: avito.ru inurl: export / pdf” ( Google , Yandex ).
If Google promises 191,000 results (actually shows about 640, the output restriction seems to work), there are only 152 responses in Yandex and the cache is not available explicitly (but the addresses themselves can be easily pulled out with slightly modified queries like “site: avito.ru inurl: export / pdf mail .ru »). The message period is somewhere from August to November of this year.
The official response of the company:
So this is our problem with you, that the company allowed our data to leak into the public network, everything is fine.
Judging by the fact that the issue of a resume (and obviously not all), I can assume that Avito has some access for companies and their recruiters to the database of the resume with the possibility of export. Moreover, in the agreement Avito has left itself the opportunity to transfer this data to third parties:
10.1. Avito has the right, and the User hereby gives its consent to this, transfer its rights and / or obligations under this User Agreement, both in general and in part, to a third party.
10.2. In the case of the transfer of rights and / or obligations, both in whole and in part, according to this User Agreement to a third party, the third party has the right to provide similar or similar services on another site.
But besides these points there are those where Avito undertakes to keep this secret:
Avito takes all necessary measures to protect the User’s personal data from unauthorized access by third parties.
On November 23, I sent a support request with a description of the problem, I was answered with two standard replies: “Thank you for contacting Avito Support” and “You will be checked at your request”. I think a few days should have been enough to fix the robots.txt and clear the issue? Unfortunately, no security contacts or administrators could be found. Then I contacted the official resource group VKontakte, duplicating the problem, you see the answer above.
I hope the company will pay attention to the problem in the near future.
UPD 28.11 : Avito is not responding at all, I am cleaning my cache on my own .
UPD 30.11 : The
UPD 01.12 : Vkontakte answered again, waiting for the results:
UPD 08.12 : Everything is clean, both in Google and in Yandex. It produces 1-3 results, but without a copy in the cache.
UPD 14.12 : Google has 137,000 results with a cache, Yandex is empty.
Source: https://habr.com/ru/post/271859/
All Articles