Security lapse makes GPAs visible
The University has fixed a security breach in its DuckWeb system after a student used it to look at three other students’ degree audits.
The hole in DuckWeb’s security allowed Web users to view certain other students’ degree audits by changing digits in the URL for a printer-friendly version of their own audits, which contain information about a student’s grades and his or her progress toward a degree.
The student who discovered the breach was Daniel Bachhuber, a former Emerald employee, who then called the University to alert officials of the glitch July 22.
University registrar Sue Eveland estimated that the breach, which has since been repaired, would have made at most 20 different students’ degree audits visible to those who manipulated the URL.
The glitch originated in the system the University uses to upload degree audits. All degree audits for which information has changed on a given day are uploaded simultaneously that night and assigned what Eveland said is a randomly-generated nine-digit number called a batch number. That number is at the end of the URL for the printer-friendly version of the audit and it is the one Bachhuber used to access the degree audits.
Eveland said only the first audit uploaded on a given night was accessible through the glitch. She also said the University removes the data tied to the batch numbers every 30 days, which she said means that only “15 to 20” audits would have been available to those who knew about the glitch at any given time during a 30-day period.
Bachhuber discovered the glitch when he was printing out his own degree audit on July 21. He said he has recently been interested in URL structure, and his interest inspired him to change the last two digits of the URL for his degree audit from “42” to “36.” When he did, another student’s degree audit popped up. Bachhuber changed the URL two more times and got two more audits.
“At first it struck me as, ‘Wow, this is a really stupid security hole,'” Bachhuber said. But he said that he later entered the URL for his own degree audit while logged out of DuckWeb and found he could still access it.
“My own personal data was exposed to anyone publicly,” Bachhuber said. “It wasn’t indexed on Google or anything, but if you understood the structure, you could get my degree audit.”
University officials downplayed the vulnerability of students’ data through the loophole.
“The information that was available on degree audits, none of it could have been used for identity theft,” University spokesperson Heidi Hiaasen said.
Eveland said she did not know for sure how batch numbers were generated for degree audits, but she said it was “very random.” She also said Bachhuber was the only person who had ever used the breach.
“This is a very low, obscure thing that got reported quickly, that was not accessed by any person but the person that
reported it,” she said.
Do you appreciate independent student journalism? Emerald Media Group is a non-profit organization. Please consider a donation to support our mission.