Wednesday, July 06, 2005

Flawed USC admissions site allowed access to applicant data

Robert Lemos writes in SecurityFocus:

A programming error in the University of Southern California's online system for accepting applications from prospective students left the personal information of users publicly accessible, school officials confirmed this week.

The flaw put at risk "hundreds of thousands" of records containing personal information, including names, birth dates, addresses and social-security numbers, according to the person who discovered the vulnerability. The Web programming error allowed the discoverer, who asked only to be identified by the alias "Sap," to slip commands to the site's database through the log-in interface.


"The authentication process can be bypassed, and you can find the information for any student who has filled out an application online," the discoverer, who claimed to be a security-savvy student who found the flaw during the process of applying to USC, stated in an e-mail to SecurityFocus. "From there, you can view or change profile info, (and get) the person's user name and password combo. Entire tables can be exposed, remote command execution, you name it. Basically, they are owned."

USC's Information Services Division confirmed the problem and shuttered the site this week as a precaution, but did not confirm the size of the potential data leak or whether the university plans to tell applicants of the issue.

SecurityFocus notified the university of the issue two weeks ago after being tipped off by the discoverer. The university initially removed the log-in functionality from the site for several days, but allowed applicants to log in for most of last week. USC completely blocked access to the site this week.

"We are investigating the matter and will have more information available soon," USC spokeswoman Usha Sutliff said on Tuesday.


0 Comments:

Post a Comment

<< Home