Job board website vulnerable to hacking, data interception
Joel Krahn/Yukon News
A popular Yukon job board website is vulnerable to hacking because its managers have not put common security measures in place.
YuWin.ca doesn’t use Secure Sockets Layer (SSL) that allows encryption of all the data exchanged between a client computer and the internet server hosting the website yuwin.ca
“It’s rare to see (no SSL) these days,” said Martin Lehner, an IT specialist and co-owner of Tangerine Technology in Whitehorse.
“It’s quite surprising they wouldn’t encrypt,” Lehner said. “They’ve had executive directors who have been from the IT industry.”
SSL is becoming ubiquitous as even Google now encrypts all searches by default.
“At some point the entire internet will be SSL (encrypted) anyways,” Lehner said.
Because the data exchanged is not encrypted, an attacker could intercept a user’s login information.
While YuWin doesn’t hold information, such as social insurance numbers, that could be used for fraud or identity theft, hackers could still make use of the passwords used for YuWin accounts.
That’s because people often reuse the same password for different services, Lehner said.
“I would say anybody who has an account on the job board … should know their internet password is viewable at a minimum by the YuWin staff or anybody who has access to the backend,” he said.
And an attacker wouldn’t even need to be on the same internet network to intercept passwords, Lehner said.
All he or she would need to do is capture data flowing between the Yuwin.ca’s server and other internet routers.
“Eventually if you wait long enough, you can pull traffic out,” Lehner said.
The lack of SSL also means an attacker could impersonate the website, and trick people into entering their login information.
It doesn’t matter that YuWin is a Yukon-based website, Lehner said, because hackers will scan the entire internet looking for vulnerable services.
Implementing SSL is neither expensive nor difficult, Lehner said.
“I would suspect that with the government who funds them, they probably expect the data is kept reasonably secure.”
YuWin chair Debbie Parent told the News the board was aware of the situation and working on it.
Parent asked the News to withhold publication of this story in exchange for first crack at a news release to be issued Tuesday. The News declined.