SAP hackers Alexander Polyakov and Alexey Tyurin say Oracle PeopleSoft contains unpatched vulnerabilities and weaknesses that allow attackers to easily obtain admin passwords.

The hackers say the PeopleSofts credential can be yanked from the TokenID contained within password recovery sites and cracked using a cheap graphical processing unit within a day.

That feat is possible because of poor key generation standards, forcing admins to use very long passwords unless they are running the latest PeopleSoft installations, Polyakov says.

Oracle has been contacted for comment.

"There are multiple default credentials in PeopleSoft itself and Weblogic Application server," Polyakov says.

"While Oracle telling us that this problem is only for a demo system, we disagree as we saw production implementations during our penetration tests where those default passwords exist."

"Not every implementation is vulnerable, but some of them definitely vulnerable, and those are not only demo installations."

Polyakov says any attacker could gain administrator privileges by brute-forcing the special node-password which uses SHA1.

"What's more, attackers in some cases don't need to have a user account to get a cookie-token since some public web pages such as password recovery or job forms pages generate tokens automatically forms," he says.

Other PeopleSoft installations contain unchanged and universal default passwords making cracking unnecessary.

"The only way now is set very strong password for the node, or change it to certificate authentication instead of password authentication. Those changes will require some configuration especially if customer use multiple nodes, and of course they will need to turn off systems for some time to reconfigure it," he says.

The flaws are the latest in a line colleague Tyurin says means the state of security of Oracle's PeopleSoft is in the worst shape since 2010.

He points out that more than 7000 companies use PeopleSoft including about half of the Fortune 100.

Tyurin and Polyakov work as professional penetration testers with a focus on SAP. The former says the scant research on the platform is leaving companies in the dark regarding their ability to ascertain their state of security.

“While cyber criminals are exploiting existing security flaws, companies don’t know the methodology for testing their PeopleSoft applications against vulnerabilities, especially architectural ones," Tyurin says.

He says the platform can often grant "easy" access to connected applications. ®