HR: Everyone must fill out these 100% anonymous surveys about how you feel about our company, it’s leadership, and how likely you are to leave in the next 6 months etc. Please be 100% honest, since again it is 100% anonymous. Reminder! You must use the individual links we sent to you, do NOT use someone else’s link. Oh did we say it’s 100% anonymous?

The Link:

www. surveygen .com/ companysurvey123 ?employeeName=boombodies &employeeId=6969

Dev: …

  • 26
  • 13
    Deception 5/5
  • 10
    sqli time!
  • 8
    @iiii A perfect 5/7
  • 13
    is it possible to submit the survey multiple times? are employee ids available? how about submitting it for each employeee 50 times with random answers/lorem ipsum? or submitting negative feedback as all managers in top 2 levels?
  • 3
    But I know other employees Id🤷🏽‍♂️
  • 1
    @qwwerty Haha, it’s a good thought but there was also a token parameter that I excluded for brevity
  • 5
    Correct reaction: Company-wide email explaining in detail, on what levels HR fucked up here.

    And you should definitely fill that survey - might get you a raise when they fear you quitting soon...
  • 0
  • 18
  • 2
    @JustThat Ah so this is a common technique
  • 2
    Bart Simpson, employee number 420666 would like to share his opinions with the company.
  • 9
  • 0
    Typing the domain to my browser leads to one of those 'ad websites'.
  • 2
    @NoOneCares I didn’t give the real domain
  • 2

    The Dark Night was just so unlike the movie: The Bright Day.
  • 8
    Even if it's anonymous, the smaller the team / company, the more likely some answer will make you recognizable, like 100% of our UX department that consists of 1 person, have criticized the design process
  • 3
    To give them the benefit of the doubt :

    This might be stupidity rather than malicious intent.

    They might just have added some Id to avoid duplicate submissions.
    They know they work with tech so if they really wanted to maliciously do tracking without getting caught they wouldn't have done it with a query param.

    Still - a valid concern.
    Obviously it's not anyonmius with that url.

    Even if "no one will look at that" it's a huge privacy risk.
  • 2
    @jiraTicket Why not both? Malicious idea and stupid execution.
  • 0
    @qwwerty employee ids seem sequential, so i would say yes, all are available via bruteforce
Add Comment