ERPScan researcher Alexey Tuyrin says hundreds of Oracle PeopleSoft users, including banks, are running publicly-exposed services that are open to a token-plundering vulnerability.

The penetration tester says a breach could be worse than that of the Office of Personnel Management which recently lost millions of records in a hack pinned on China.

Oracle's PeopleSoft Human Resource Management System is used by more than 7000 companies including half of the Fortune 100, of which about a third are higher education organisations mainly based in the US.

Tuyrin found through web searches some 549 exposed PeopleSoft systems of which 249 are commercial enterprises, 236 universities, 64 in government and military sectors, and 20 from banks.

He says some 231 of that total are vulnerable to the so-called TokenChpoken attack that allows tokens to be recreated allowing attacks to pop data stores and other connected systems.

"The attack allows [hackers] to find the correct key to the token, login under any account and get full access to the system, " Tuyrin says.

"It also gives an attacker an opportunity to hack other systems as well as third-party data stores.

"In most cases, it takes not more than a day to decrypt the tokens by using a special brute forcing program on latest GPU that costs about US$500. Taking into account that organisations using PeopleSoft systems have about 5000 employees, the cost of getting personal data of one of them is only 10 cents!"

Eighteen of the Fortune 500 are exposed including one of the world's largest but unnamed pharmaceutical companies. Some 25 of Forbes' 2000 biggest public companies are also open to the attack.

The TockenChpoken tool detailed in Tyurin's Hack in the Box Paris presentation [PDF] can "parse, brute force and re-create a PS_TOKEN cookie" without requiring valid credentials on the server.

Tuyrin says massive profit margins exist for criminals willing to sell the information on the black markets making PeopleSoft plundering a "rather profitable business".

He says 10 per cent of exposed companies have default passwords for tokens.

The researcher listed a menu of appetising data sets an entrepreneurial hacker could acquire by exploiting the vulnerable systems. These included social security numbers; credit cards; sensitive intellectual property; internal project information; tender and contract information, and supply chain sabotage.

His company has also found cross-site scripting and authentication bypass vulnerabilities he says have been unresolved for years. ®