When approaching this application, I decided to focus on vulnerabilities that will be specific for job dashboards. Here is the writeup on any authentication issues that I found.
Replacing candidate data and adding resume for imported candidate
Because this is a job board, it allowed company employees to internally import candidate information. This becomes useful if you are internally referring a user. For example, if I wanted to refer you internally as an employee, I could simply import your resume and then add you as candidate for the specific job. However there was a minor flaw that I noticed when a candidate was imported. Lets explain this issue with an impact scenario in relation to a superficial company: Securify.
As an employee at Securify, I decide that John Doe is a good candidate for Security Engineer so I decide to add them as a candidate for the job. When adding, I import John's PDF and add his email (firstname.lastname@example.org). Once I import his profile, it gets added to the queue for the candidates under Security Engineer job.
Now, an external user browses to https://hire.withgoogle.com/public/jobs/securifyinccom and chooses Security Engineer job. Once they select the job, they start filling the details and for the email they put email@example.com. Once they submit the application, it would replace all the data that I imported with the data that the external user added. In addition, it will add the new resume as an extra resume in the candidates file.
While this is a little hard to exploit because you need to know the email of the candidate, in some cases this could be exploited and prevent companies from efficiently handling their candidate list.
Posting as another company in a job board
When I started to test Hire with Google, I noticed an extremely interesting feature. There was an option where the app would automatically post our job on public boards including Google Job search, Glassdoor, and Indeed.
After seeing this, I decided to see how Glassdoor and Indeed were pulling the info. Based on the small i icon, Glassdoor and Indeed would pull data from a XML and will then use that info to post it to their site. However, because it was not clear on how this will exactly be done, I decided to do a practical test. I created a job and for location put it on a remote place somewhere in US. After that, I went to Glassdoor and created an alert which would send me an email when a job on that region was posted.
Couple days letter, I got an email from Glassdoor that had the job listing I posted. In the start, I had my company name on Hire with Google set as company X (Hidden for privacy and other purposes). This company X is not owned by me and is basically a non-existent company because they were acquired by another company however they still had an unverified Glassdoor company profile. I noticed that my job listing was posted under their name.
After finding out that the job listing were posted under whatever was in the company name, I went ahead and changed my name to Google (sorry 😞). Then I made some more triggers on Indeed and Glassdoor. I also started to monitor Google search for Google jobs on that region to see if it worked. Two hours after posting the job, it was finally live on Google Search under Google's name. Google has a lot of job listing so, to make sure I knew it was mine, I put a small phrase that was personally identifiable to me (blacked out in the image below).
The jobs were also posted on Glassdoor and Indeed (shown below). What made this worse was that once the jobs were posted on Glassdoor, people who had alerts for new job openings in Google or for certain job types like Software Engineer, got notified by Glassdoor that Google was hiring. Sadly, many people fell victim and ended up applying for the job (censored sample image below).