Marketing first, data privacy last

Published by Tobias Hofmann on

6 min read

SAP announced a new product and held a major online event to promote it. For people following a little bit the SAP world it was complicated to avoid the marketing hype around the Business Unleashed event. Registration was open to everyone with a business e-mail address. The target group was inclusive.

An SAP event, online, for free, which promised to announce something interesting. Who did not sign-up? In case you did, a personal e-mail was sent out before the event.

To access the event, a personal link was included in the e-mail. Personal links per se are not a problem. They just need to be done right. In the case of the Business Unleashed personal link, it was the opposite of done right. How SAP did handle the personal link here is rather a prime example of not do it.

The short version: it was super easy to access private data from other people that registered for the event: Name and e-mail address.

For a longer version, please continue reading.

The personal link looks like: https://broadcast.sap.com/go/unleashed?regid=3730557

What makes the link now a personal link? After the event name the parameter value for regid is the only unique part. Therefore, the parameter value must identify the registered user. Regid is a number. That alone is already a mistake. Further decisions that ignored basic data privacy made this an epic fail.

The link opens the broadcasting solution SAP uses. First the lobby.

After the event started, the live stream.

There was a chat available and when you typed something into the chat, a warning message was shown that you will post this with the name you provided during registration. From where does the chat app get this information? No logon was needed so far, just the link. Therefore, yes, the personal link is linked to your personal information. This got clear when clicking on the “Request more info” button on the top right. A popup appears asking if your contact information can be shared with SAP.

The popup includes personal data: Name and e-mail address. Via the business e-mail address, it also includes the company name.

Again: the only information needed to get there is the link. Changing the number of the regid parameter: you access the broadcasting app as a different user. 3759361, 3730458, 3734645, … If the regid is a valid number, the stream opens. If not, an error message is shown.

Not only does this allow you to log on as a different user, but it also shows clearly if the registration ID used is valid or not. All it takes to get a nice list of names and valid e-mail addresses is to go through a finite range of numbers. Side effect: you get to know how many people signed up for the event.

In the chat, people could ask questions and got them answered by SAP. Of course, the chat service includes not only the name of a person answering the question, but also the user id. Going through the JSON response you can find names and Id for SAP employees, or only the userid.

"qpublic": false, 
"answerByName": "R G", 
"answerByUserID": "D0xxxx4", 
"answer": "Yes! You will …",

"answerByName": "Expert", 
"answerByUserID": "I518xxx", 
"qpublic": false, 
"answer": "Hey, no …",

Gone missing: privacy by design

The effort done by SAP to protect personal data was based on – at best – security through obscurity. In reality, it is based on ignorance: let’s hope that no one knows what a parameter is or that its value can be changed.

Of course, you need to know the link to the broadcasting tool. But that information was easy to get. The registration was open to everyone on the internet with a corporate e-mail. The target group included to a significant amount people that know what a URL and parameter is. If you think that this is high specialized knowledge only available to skilled developers: these were listed as a target group for the event. On top, there were no additional measures in place to ensure that guessing a correct registration Id was hardly possible. It was a number, in a narrow range. No hash, no uid. Not even one number out of a million to guess for a valid registration Id. Counting up / down by one was sufficient. There was no additional validation after accessing the stream: no access code (could have been part of the email), no other validation (enter e-mail, etc). Funny enough: not even Universal ID was required. Seems that when ease of use (access the platform fast and without entering a password) is important, UID is seen as what it is: unnecessarily complicated and user unfriendly. SAP opted to make it as simple as possible and as a result, you were logged in directly. Next error was to show the personal data in the contact dialog. Why? Why show the name and email address? To let me validate it? To check that my name and email are correct? The email SAP send me the event link to? And that I clicked and therefore already validated my email? It was a personal link, why not just state: Can we contact you? And after clicking yes, the registration Id is linked internally at SAP to the registration information. This allows to find my email address to contact me. Why show the personal data at all? Same with the chat service. Why include the user id? Is this needed? It is not shown to the user in the chat, so why add this sensitive information in the first place?

SAP decided to go for marketing. Ignoring completely privacy by design.

Let the world know
Categories: SAP
Tags:

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

SAP

Update sites and URLs, forget about links and references

6 min read I was searching for some UI information regarding S/4HANA. I ended up finding this SAP Help site: Overview of UI Technologies and Key Features. It is for release 2023 FPS03. Until the Read more…

SAP

Eye of the Beholder – Numbers

12 min read Statistics are great as you can use them to reduce complex issues to a number. In case the number does not match your expectations, you can adjust either the collection (questions, people, Read more…

SAP

Working with Bills of Material in S/4HANA

8 min read When you work with SAP changes are good that you come across Bills of Material sooner or later. A common task is to get the list of components that make up a Read more…