Air to Ground Message:

OS KLAX WE HAVE A PAX WHO SPILT HOT LIQUID ON HIS GROIN AREA AND BURNED HIMSELF WE HAVE A MED PROFSNL ON BOARD ASSISTING REQUEST MEDICAL AT THE GATE PLEASE PASSENGER IS IN 30F XXXXX XXX MIDDLE AGED MALE THANKS

Area: Los Angeles, CA, USA
Type: Airbus A321
A: #a04c6ffe0ce
F: #f9681d76eac

#acars #vdlm2

Disclosure: This was Rippling (rippling.com)

Essentially, the flaw I discovered was that if you use their platform to send someone a job offer via email, shortly after sending said offer (no interaction required on the part of the recipient, such as, say, actually looking at or accepting the offer), if that person already had a Rippling account, such as from a prior employer, a Rippling process would run that would populate their information from what was already in the Rippling backend from another tenant.

This info includes all the PII, including SSN, banking, address etc.

That info would automatically become visible to the Rippling user who had sent the job offer email.

So, all you needed was a rippling tenant, and if your target had previously used Rippling ever - you could exchange their email address for all the info.

Timeline: reported in July 2025 to the Rippling Bugcrowd bug bounty program, accepted as a critical issue within 48 hours, only fixed last week (9 months).

No bounty was offered.

Just a data point for anyone else who considers submitting to this program. Probably the least impressive bug bounty experience I’ve had in the last 15+ years.

#infosec #bugbounty