While working on an afternoon project to add my own filtering to triplebyte's job search, I discovered a security issue.
Triplebyte had a "direct booking"1 feature which allowed anyone who scored well on triplebyte's assessments to visit a booking site (usually calendly) and set up a call with a recruiter. It was optional, and the company set the required assessment scores.
Triplebyte's initial implementation of this stored it in a 'book_now_link' field inside serialized JSON and included it in the page source.
"vip":{
"exists":true,
"skill_requirements":[
{
"key":"programmatic_problem_solving",
"score":4,
"title":"General Coding Logic"
}
],
// This shouldn't be here:
"book_now_link":"https://calendly.com/Redacted/30min",
"assign_to_company_user_name":"Redacted Redacted",
"min_years_xp":4,
"work_authorization_required":true,
"salary_range":null,
"calls_left":true,
"status":{
"status":"failed",
"missing_requirements":[],
"missing_skills":[]
}
}
It's a very simple bug. Don't include sensitive information in your page and rely on the client to hide it.
Timeline
- 2021-09-16 - Issue reported by email
- 2021-10-05 - Issue reported using zendesk support ticket due to no response
- 2021-10-20 - Triplebyte respond saying it's fixed and offer $200
1
The feature seems to have been removed entirely now.