How It Started
It began as a completely ordinary moment. A user (let's call them User A) received a job suggestion email from Foundit.sg — a job platform widely used across Singapore and Southeast Asia. Nothing unusual there.
But here's where it got interesting.
When User A forwarded **that job suggestion email to a friend (User B), something unexpected happened. User B could click the link inside that forwarded email and — without entering any credentials — **be automatically logged into User A's account.
Not just to view a job listing. Into the full account. With access to view, edit, and modify all of User A's personal details, job preferences, resume, and profile information.
The Bug Explained
The root cause is a classic but serious security flaw: unprotected magic links / auto-login tokens.
Foundit's job suggestion emails contained a one-click authentication link that:
Was not single-use (it could be clicked multiple times)
Was not bound to the recipient's device or IP address
Had no secondary verification step
This means anyone who received the forwarded email — intentionally or accidentally — could gain full unauthorized access to another person's account.
Impact:
✅ Unauthorized account access
✅ Personal data exposure (name, contact details, resume, etc.)
✅ Profile editing without consent
✅ Potential misuse of saved and applied jobs
Severity: CRITICAL
What I Did — Responsible Disclosure
I did not exploit the bug. I did not share it publicly. I followed the responsible *disclosure * process:
- Emailed Foundit at info@foundit.sg with a full, detailed bug report including steps to reproduce, impact analysis, and suggested fixes
- Waited for a response — no reply came via Email
- Posted a gentle nudge on LinkedIn asking if they received my report — After several days they replied to me
- Submitted to Open Bug Bounty to create an official public record of responsible disclosure
The Bug Was Fixed — But Not Properly
Eventually, the bug was addressed. However, the "fix" implemented was not a proper security patch.
Instead of fixing the underlying authentication token issue, they added an error message that reads:
"Ooops! We couldn't find this job under your current country preference. It might be listed under a different location. Try switching your country in Settings to view the job."
This is a UI-level workaround, not a true security fix. The root cause — insecure auto-login tokens — may still exist in other parts of the platform.
Zero Acknowledgment
Throughout this entire process:
❌ No reply to my email
✅ Response to my LinkedIn post - After several Days, But no mentioning further details.
❌ No acknowledgment of the report
❌ No credit or mention anywhere
I'm not sharing this to shame Foundit. I'm sharing this because responsible disclosure deserves acknowledgment, and the security community deserves to know how platforms respond (or don't respond) to good-faith reports.
Lessons for Developers
If you're building a platform with email-based authentication links, please ensure:
- Magic links are single-use — expire immediately after first click
- Bind tokens to the recipient's identity — not just a URL
- Add device/IP verification for sensitive actions
- Have a clear security reporting channel — and actually respond to it
- Acknowledge responsible disclosures — even a simple "thank you" email goes a long way
Relevant Authorities (Singapore)
If you encounter similar issues on Singapore-based platforms, you can report to:
- Cyber Security Agency of Singapore (CSA) — csa.gov.sg
- Personal Data Protection Commission (PDPC) — pdpc.gov.sg
Final Thoughts
Cybersecurity is a community effort. When someone takes the time to responsibly report a vulnerability instead of exploiting it, that deserves recognition — not silence.
I hope this story encourages platforms to take security reports seriously, and encourages more people to report vulnerabilities responsibly rather than ignore or exploit them.
Found this useful? Share it with your network. The more awareness, the safer our digital spaces become.
Top comments (0)