HYDERABAD: A security loophole in the official portal of the State-owned Telangana Overseas Manpower Company (TOMCOM) -- that made it possible for anyone to gain total administrative control of the portal by simply clicking on a link that shows up on a Google search -- was identified by Express on Tuesday. Express alerted officials of TOMCOM and State IT department; both responded actively and fixed the issue.
The issue came to light while using the advanced search options on Google. Search results showed numerous links titled “Dashboard Form: TOMCOM” which when clicked gave access to candidate details including Aadhaar and passport data. By gaining administrative control, potential hackers could view candidates data and even take control of features on the website. It also allows anyone to send bulk SMS or emails to candidates or even change job status of candidates.
“The website was just created in January and new modules are still being added. It’s being developed by the State IT department. A security audit has not been done but we will do that soon. Once the modules are ready, we will also do a third party audit. We will also be doing a forensic analysis to be on the safer side,” said TOMCOM general manager Nagabharathi.
TOMCOM was founded in 2015 to facilitate overseas employment opportunities for job aspirants from Telangana. Its one of the few agencies that have a valid recruitment licence under the emigration act. The company was founded to stop illegal overseas recruitment after cases of those who go abroad for jobs through unlicensed agents became rampant. At a time when more and more people are falling prey to job scams, the loophole could have proved to be disastrous had it been noticed and used by such fraudsters, point out experts.