Security lapse makes GPAs visible

The University has fixed a security breach in its DuckWeb system after a student used it to look at three other students’ degree audits.

The hole in DuckWeb’s security allowed Web users to view certain other students’ degree audits by changing digits in the URL for a printer-friendly version of their own audits, which contain information about a student’s grades and his or her progress toward a degree.

The student who discovered the breach was Daniel Bachhuber, a former Emerald employee, who then called the University to alert officials of the glitch July 22.

University registrar Sue Eveland estimated that the breach, which has since been repaired, would have made at most 20 different students’ degree audits visible to those who manipulated the URL.

The glitch originated in the system the University uses to upload degree audits. All degree audits for which information has changed on a given day are uploaded simultaneously that night and assigned what Eveland said is a randomly-generated nine-digit number called a batch number. That number is at the end of the URL for the printer-friendly version of the audit and it is the one Bachhuber used to access the degree audits.

Eveland said only the first audit uploaded on a given night was accessible through the glitch. She also said the University removes the data tied to the batch numbers every 30 days, which she said means that only “15 to 20” audits would have been available to those who knew about the glitch at any given time during a 30-day period.

Bachhuber discovered the glitch when he was printing out his own degree audit on July 21. He said he has recently been interested in URL structure, and his interest inspired him to change the last two digits of the URL for his degree audit from “42” to “36.” When he did, another student’s degree audit popped up. Bachhuber changed the URL two more times and got two more audits.

“At first it struck me as, ‘Wow, this is a really stupid security hole,’” Bachhuber said. But he said that he later entered the URL for his own degree audit while logged out of DuckWeb and found he could still access it.

“My own personal data was exposed to anyone publicly,” Bachhuber said. “It wasn’t indexed on Google or anything, but if you understood the structure, you could get my degree audit.”

University officials downplayed the vulnerability of students’ data through the loophole.

“The information that was available on degree audits, none of it could have been used for identity theft,” University spokesperson Heidi Hiaasen said.

Eveland said she did not know for sure how batch numbers were generated for degree audits, but she said it was “very random.” She also said Bachhuber was the only person who had ever used the breach.

“This is a very low, obscure thing that got reported quickly, that was not accessed by any person but the person that
reported it,” she said.

atomchak@dailyemerald.com

4 comments

Donna

Tue Aug 4 2009 18:58

does this mean, that I can fiddle with the software, and get myself into classes and not pay for them? Spectacular! ,

doreet

Tue Aug 4 2009 18:46

wow, so there's a glitch that informs everyone how stupid I am, and what all my bad grades are in? Like everybody can see that I flunked anthropological studies in the field? I beat up a native, and they threw me out of the village? And even spat on me? And Margaret Mead said to me, "now you're in the stupid one, kiddo, not me"? Oh, and I forgot to return my copy of "the naked ape" to the library, because my roommate played a prank on me, and through all my clothing out the window? Because that really did happen. The last part. And the part about flunking a lot.and the part about Margaret Mead being a dummy.

Trevor Baker

Tue Aug 4 2009 14:49

This isn't the only thing you can access via changing the end digits of a url at the University of Oregon.

Look at the class schedule. There's 6 digits at the end for say for example 200901, which is fall term schedule.

Take a peak at changing that to 200902, BAM! You've got the winter term schedule that they are currently building! So much for waiting for the anticipated "Schedule Release Date."

I suppose this isn't much of a security breach since many know about this and utilize it (I suppose you could think of it as a trick that the insiders play with), but it is sure a handy tool when building your class schedule two terms out. The provisio here is that none of the data stored here is technically official because it's a work in progress but I've noticed that generally the schedule completes itself around the start of the term prior.

So if you read the ODE online and clicked over to this article, enjoy your present! =)
http://classes.uoregon.edu/pls/prod/hwskdhnt.p_search?term=200902

Terry Kurzynski

Tue Aug 4 2009 12:27

What University is this?

Add comment


I am not posting spam. I understand posting spam or other comments that are unrelated to this article will cause my comment to be flagged for deletion and possibly cause my IP address to be permanently banned from this server.

Enter the characters in the image above:

log out