Privacy

32173 readers

626 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

[email protected]

189

ADP gives you a person’s username and the name of all their employers when you type in their name and phone number. (self.privacy)

submitted 3 days ago* (last edited 3 days ago) by Aslanta to c/[email protected]

26 comments fedilink hide all child comments

On their website, go to the sign in screen and click “Need help signing in”. Go through the prompts and watch the person’s username, and the legal name of all their employers (who have ever used ADP) appear on the screen.

Note: Whether or not you select “my current employer uses ADP”, it will still show you the full list of both current and previous employers (who use ADP).

From there, it is remarkably easy to gain access to paycheck information if you are ~~a grocer, a landlord, a retailer, or anyone of the 2737429193 entities who may~~ have a little extra data on them.

Edit: To address some of the comments, I feel I need to clear something up. I’m not saying this is some authoritarian configuration error ADP messed up on. It’s a standard login that works conveniently for ADP and also happens to be negligent in privacy protection. And it’s most likely completely legal for most people in the U.S.

you are viewing a single comment's thread
view the rest of the comments

[–] Serinus 57 points 3 days ago (2 children)

This is generally not how one goes about disclosure.

[–] [email protected] 36 points 3 days ago (1 children)

Depends on how the parties behaved in the past. There are a bunch of government entities which called police on me in the past when trying to work with them about discovered issues and as result also will just get anonymous 0-day drops in public forums for future issues.

[–] [email protected] 4 points 3 days ago (1 children)

If you really regularly disclosed vulnerabilities you’d know that for entities that don’t have vulnerability disclosure programs you can always report through CISA or ENISA.

[–] [email protected] 11 points 3 days ago (1 children)

I expect the responsible person listed for some specific application to react to an email about it to fix it, and not send me police. Why would I want to jump through hoops for doing them a favour?

Same applies also if there's no easy way to send a mail to someone responsible.

[–] [email protected] -5 points 2 days ago

Ok bro.

Same applies also if there's no easy way to send a mail to someone responsible.

Yeah I’m pressing x for doubt you’ve ever disclosed anything. You got any CVE’s to your name?

[–] [email protected] 29 points 3 days ago (2 children)

I hear you, but in the last year I've begun wondering if full public disclosure isn't a better way to go these days.

The sheer volume of breaches is overwhelming and in my experience (of over 40 years as an ICT professional) many companies sweep their failures under the carpet, hide behind crisis management teams and marketing speak, and ridicule those bringing issues to their attention.

Their disclosure is abysmal if it's made at all and there are precious few who reveal precisely what data was exfiltrated or how the issue was remediated.

This way anyone can verify the issue and companies cannot hide, everyone sees precisely what's leaked and can act accordingly.

If you know of a more effective way, I'd love to hear it.

[–] [email protected] 7 points 3 days ago

I hear this. Stuff this egregious they are not even trying to begin with.

[–] [email protected] 1 points 3 days ago (1 children)

Making the attempt at responsible disclosure is still more effective.

[–] [email protected] 17 points 3 days ago (2 children)

Effective for whom?

The users who's data was disclosed, or the company that made the disclosure?

[–] Serinus 7 points 3 days ago (1 children)

Well, this leak is out there now for whoever decided to use it. And it's being publicized. That doesn't seem good for the people having their payroll data leaked.

[–] Aslanta 7 points 3 days ago

Hey, now. Don’t go blaming the person who is calling attention to negligence of another. 5 years ago, ADP had user support service to handle login issues. But with the diminishing right to privacy in recent years, it is much more convenient for them to simply give the information away.

[–] [email protected] 2 points 3 days ago

Everyone involved.