A security loophole makes it possible to offer arbitrary job offers seemingly under the umbrella of the employment office

At the moment, some curious job offers eagerly forwarded by e-mail are causing astonishment. From state-certified district pollinator with regular night employment to the maserati parker in the fubganger zone to the spammer or brothel manager or even as the lowest level of the failed law student with a failed second state exam, who is supposed to make coffee in a law firm for room and board and put warning letters into their envelopes, the employment agency suddenly seems to have the strangest job advertisements in its database.

All these job offers can be found in the berufenet, a subdomain of the arbeitsamt that actually only informs about job descriptions and does not offer any jobs.De, but its main page has since been renamed to the new name of arbeitsagentur.De forwards.

Only those who take a close look at the url called up notice that the apparent offer actually begins with the employment office address. In reality, however, a cgi script is used to integrate an arbitrary image stored on a completely different domain with freely selectable text into the frame and the url of the employment office, thus creating apparent respectability. We were also able to successfully present our brothel tester as a job offer registered with the employment office.

At first glance, the carelessly openly accessible cgi script is good for a few laughs. But it is likely that at some point real, but equally dubious, offers will also be covered in this way with the coating of the official authority: not everywhere, where "employment office" on it, is not really "employment office" inside.

