Feeds

USC admissions site cracked wide open

Flaw allowed access to applicant data

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

A programming error in the University of Southern California's online system for accepting applications from prospective students left the personal information of users publicly accessible, school officials confirmed this week.

The flaw put at risk "hundreds of thousands" of records containing personal information, including names, birth dates, addresses and social-security numbers, according to the person who discovered the vulnerability. The Web programming error allowed the discoverer, who asked only to be identified by the alias "Sap," to slip commands to the site's database through the log-in interface.

"The authentication process can be bypassed, and you can find the information for any student who has filled out an application online," said the discoverer, who claimed to be a security-savvy student who found the flaw during the process of applying to USC, stated in an email to SecurityFocus. "From there, you can view or change profile info, (and get) the person's user name and password combo. Entire tables can be exposed, remote command execution, you name it. Basically, they are owned."

USC's Information Services Division confirmed the problem and shuttered the site this week as a precaution, but did not confirm the size of the potential data leak or whether the university plans to tell applicants of the issue.

SecurityFocus notified the university of the issue two weeks ago after being tipped off by the discoverer. The university initially removed the log-in functionality from the site for several days, but allowed applicants to log in for most of last week. USC completely blocked access to the site this week.

"We are investigating the matter and will have more information available soon," USC spokeswoman Usha Sutliff said on Tuesday.

The potential privacy issues come as other high-profile data leaks among financial institutions has focused attention on organizations' general failures in securing customer information. In the most recent case, MasterCard International outed credit-card processor CardServices Solutions for failing to secure transactions, leading to tens of thousands of cases of fraud and potentially putting as many as 40 million credit-card accounts at risk.

"Companies and organizations still don't understand the value of what they are protecting, and as a result they are not putting adequate resources towards that protection," said Richard Purcell, CEO of independent privacy consultancy Corporate Privacy Group.

For example, many colleges and universities used a student's social security number as their primary student identifier, until recently, he said. Some schools still have not stopped the practice.

"They are printing social-security numbers on ID cards, transcripts and reports," Purcell said.

The University of Southern California is the latest college in the United States to discover flaws in its online systems. The University of Connecticut notified its students, staff and faculty last week that a computer hacking tool had been found on a server containing 72,000 personal records, including social security numbers, dates of birth, phone numbers, and addresses, according to published reports. In March, Boston College acknowledged that 100,000 records from its alumni database may have been copied, while a laptop owned by a researcher at the University of California at Berkeley and containing personal information on 1.4 million Californians was found to be compromised last October.

Incidents at many other colleges - including the Georgia Institute of Technology, University of Texas at Austin, George Mason University, and the University of California at Los Angeles - have also put personal information at risk.

The vulnerability in USC's online Web application system is a relatively common and well-known software bug, known as database injection or SQL injection. A lack of security checks on user input allows a hostile user to submit a database command rather than a log-in name. The command could cause the database to send its information back to the attacker or aid the attacker in compromising the computer system hosting the database.

"All this stuff gets back to the fact that we are still building this thing called the internet and security varies all over the map," said Richard Smith, an independent privacy and security consultant based in Boston. "Some people understand it very well and others don't."

The person who discovered the flaw was able to access at least four database records using the vulnerability. The exploit information and the records were forwarded to USC officials two weeks ago by SecurityFocus.

The issue is still being investigated, but under California's Security Breach Information Act, also know as S.B. 1386, organizations that may have disclosed sensitive personal information, including social security numbers, must notify the people affected of the potential breach. USC has not said when, or even if, the school intends to notify applicants who used the system that their data may have been at risk.

Copyright © 2004, SecurityFocus logo

Related stories

Business school 'hack' raises ethical questions
Academia battles forces of IT anarchy
DEC 'tsunami hack' man pleads not guilty

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.