Student discovered flaw in student information HvA and UvA

Jun

21

2016

A Dutch student in the Student Information System to use the UvA and HvA, discovered a leak which he easily personal data and photos could bring in more than 500,000 fellow students.

The student software engineering Nelson Mountain ran into the vulnerability when he wanted to register for an exam. He discovered simply by looking at the source that scrape were all names and student numbers via a URL in a hidden div on the site https://sis.hva.nl. By then adjust the parameter {} StudentIdentifier, also found the pictures and phone numbers of students to be automatically retrieved.

Through the leak, he could download 385,000 names and student numbers, phone numbers 200,000 and 130,000 photos HvA students. Through the UvA system worked that 237,000 names and ID numbers, 131,000 phone and 63,000 photos. Berg suspects that use more universities vulnerable SIS implementation.

After the message at Pentecost to the CERT-UvA are the vulnerabilities on May 17, a day later corrected. The University of Amsterdam confirms the reading of Berg, but reports that the SIS does not contain the vulnerability. “We really take off SIS and the supplier on the same day we were informed the message. We have also informed the other universities as well as the leak poem,” said a spokeswoman at Tweakers. For now, the UvA students and staff not informed about the leak. The UvA says no evidence to have the leak has been abused so that a message did not seem necessary.

“Only my IP address concerned the millions of requests for retrieving and no alarm bells have gone off,” Berg tells Tweakers. “You’d think they monitor. Probably the leak is there from the beginning. They can not say with certainty that it is not abused, I think.” Berg is a part-time pent star. “I have a little more background regarding these matters, but I found two leaks, while I only wanted to write to me. I saw a number in a parameter of a URL that strongly resembled my student number in ten minutes. Then, I could write a scraper in Python to download the data. ” According to the student, it is irresponsible that the system could contain such a leak. “Usually you see this only in systems that are not yet live.”

With the introduction of SIS Oracle / Atos was from 2004 to the College 14.6 million and involved 25 million for the University of Amsterdam, as calculated Folia Magazine in 2012.

Berg describes the details of the leak on the page of his IT company, BinaryIT.

StudentdataPixelated UvA

Viewing:-66

Tags:

In: Technology & Gadgets Asked By: [15196 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »