Security News > 2022 > March > SAP community website leaks member data to savvy users

SAP community website leaks member data to savvy users
2022-03-18 11:49

SAP runs six main Customer Influence programs accessible via a website open to thousands of members.

While users can view each other's names, companies, proposals, and comments, those with knowledge of SAP's back-end can easily get hold of more information, argues SAP consultant Tobias Hofmann in his blog.

The approach relies on access to the OData service that provides the data for the SAP Customer Influence.

OData is the open data protocol used to communicate with the SAP back end via the SAP ABAP programming language.

Via the blog, Hofmann exposes how members could extract data from specific companies, including SAP itself, which offers 27,000 entries for SAP employees, although some may be duplicates.

Hofmann reported the data leakage to SAP via official and back channels and told the firm he planned to write a post.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/18/sap_customer_influence_leak/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
SAP 328 25 679 386 113 1203