Workrise fixes API that spilled users’ personal information

Workforce management unicorn Workrise has fixed an exposed API that was spilling some users’ personal information.

The Austin, Texas-based startup, which previously went by RigUp, was founded in 2014 as a marketplace for on-demand and skilled labor in the oil and gas industry. The company changed its name to Workrise in February 2021 to accommodate a broader set of energy sectors, like solar, construction and defense. By May 2021, Workrise said it had raised $300 million at a $2.9 billion valuation. But last month, Workrise announced layoffs that reportedly hit hundreds of the company’s 600 employees after the midpandemic pivot failed to pan out.

Now, a security researcher who goes by the handle Rzlr told TechCrunch that they found an exposed Workrise API that allowed anyone to retrieve personal information about subcontractors directly from Workrise servers without needing a password.

The API was able to return names, email addresses and some employment details about subcontractor’s work, and names and email addresses about the people who provided references for the subcontractors, such as their former colleagues and managers.

In simple terms, an API allows two things to talk with each other over the internet, like a smartphone app, a Peloton bike or door locks that need to communicate with their servers. In this case the unauthenticated API could be queried using a web browser by plugging in a unique four-digit user ID that corresponds with a subcontractor’s review. But the user IDs were sequential, allowing anyone to access another subcontractor’s information simply by changing the user ID by a single digit, a common security flaw known as an insecure direct object reference bug — though Rzlr said not every digit returned a valid response.

Several of the exposed records seen by TechCrunch were created as far back as 2019 and marked as “draft.”

Rzlr said in their limited testing of 1,000 records, they found more than 920 records with names and email addresses. Rzlr said the API did not limit the amount of data that could be downloaded, which they warned could have presented a scraping risk.

A screenshot shared with TechCrunch showed that the data could be easily scraped.

TechCrunch emailed CEO Xuan Yong and COO Mike Witte, who did not respond, but a short time later the API was no longer publicly accessible and was protected by a login page. In an emailed response, Eric Murphy, Workrise’s vice president of security, told TechCrunch: “Users maintain public profiles by default,” said Murphy. “To the extent Workrise determines any active user data was exposed that was not intended to be public, Workrise plans to notify those users directly.”

Rzlr said they contacted several Workrise email addresses on April 22 — including Murphy’s and the company’s main security email address — about the exposed API. When asked why the API was not secured for two weeks until TechCrunch contacted the company, Murphy said the researcher’s emails were marked as spam.

Workrise also fixed a second API issue that allowed anyone to obtain users’ referral codes, which could then be used to query the API to obtain the name, email address, phone number and the referral payment amount of users who invited others to join the site.

When asked if the company had carried out security audits of its systems, Murphy said the company had undergone “multiple” third-party audits but declined to name the company that allegedly performed them.