Skip navigation

Plug the "Request as someone else" Security Hole that exists in DWP

score 145
You have not voted. Active

BMC needs to make the ability to hide the "Request as someone else" from the preference area in DWP.  (This allows true impersonation to another users services even if they are not entitled to do so)

 

If you turn on OBO for a company so that users can fill out forms for another user, it works great if the user gets to the Service Page because Entitlement controls what Services that user can see.  You have to have Entitlement to see the service, so you do not have to worry about the a person using the form as they already have access to it in the DWP Market.

If this same user goes to the preference area of DWP and chooses this "Request as someone else" option, they can see ALL the forms of another user even if they are NOT entitled to them.  This is a huge hole that needs to get fixed so that users cannot do this.

Comments

Vote history