Is it a security vulnerability if the addresses of university students are exposed?

Question

I am sorry for my lack of knowledge in this matter.

My university (basically an international university in the UK that has students from different countries) has a website which requires the students to login before they can access their examination results. These results also include their Name and Address.

But by inspecting the network transaction, I found out that it went to a page that directly takes student registration number in the URL and displays the examination result related to that. This page can be accessed without logging in to the student account and without any hassle, it gave me the examination result that exposed the student name and address. I tried multiple registration numbers similar to mine and all were processed easily.

Another problem is that these registration numbers are in fixed length, only contain numbers and are in ascending order. So for example if a valid registration number is 000001 then the next one would be 000002 and so on.

So in my opinion an attacker can easily create an automated program that could generate these registration numbers, randomly or in order, and get the names and addresses of hundreds of students.

My questions are:

Is it universally approved practice for universities to expose the names and addresses of students?
Is it universally approved practice for universities that strong security related to name and address is not important?
Is it a severe attack and do I have to report it to them? Or can it simply be ignored?

Update:

I received the reply from the university and they have now fixed it. Thanks to all of you.

If the University is in the UK, this may be a breach of the Data Protection Act and if it is not immediately fixed by the University, it can be reported to the [Information Commissioner's Office](https://ico.org.uk/concerns/handling/) who may decide to take further action. — daiscog, Jan 04 '17 at 16:28
Where is this university? Are the grades also publicly accessible? — Jedi, Jan 04 '17 at 16:31
If I understood correctly you are saying that your university has a page where, given the matriculation number of a student, they give you name and postal address (or email address?), and possibly the grade of an exam? — Bakuriu, Jan 04 '17 at 17:33
@Josh yes I am really worried about on how to report it, I think reporting anonymously would be much better. Thanks. — Ghulam Ali, Jan 04 '17 at 18:22
@Bakuriu, yes totally correct. But by display it first ask for student username and password before they give the report, If we use the vulnerability we can bypass that login and see the report without logging in. — Ghulam Ali, Jan 04 '17 at 18:27
@GhulamAli As long as you guys still are in the EU, that's a very serious problem your university has there. It's clearly illegal under EU law. — UTF-8, Jan 04 '17 at 23:14
Unless you took steps to hide your IP address during the original accesses, you can't really report it fully anonymously. — CodesInChaos, Jan 05 '17 at 12:36
@daiscog's comment is really the best answer, I think. Since the university is in the UK, this is almost certainly a breach of the DPA (violation of principle 7, and probably 6 and 8 as well). The university should have a DPA office/officer who will go ballistic when you report this (and I think you should), and should be able to get very senior pressure applied to change it. If they don't fix it promptly, then a report to the ICO, as suggested, would be proper. — Norman Gray, Jan 05 '17 at 13:33
The question asked in the title, "Is it a security vulnerability if...", has a fundamentally ambiguous answer even in such a clear-cut scenario. The phrase "security vulnerability" can be defined as "something surprising that you can do with a system you control" and while this case is semi-objective in the sense that "well it would certainly surprise the government regulators who would presumably issue a steep fine!" it still has a lot of these hallmarks of subjectivity. — CR Drost, Jan 05 '17 at 18:28
I thank that accessing these pages about any student other than yourself, while understanding that the university was intending to keep them private, would be a crime under [section 1 of the computer misuse act](http://www.legislation.gov.uk/ukpga/1990/18/section/1) — bdsl, Jan 06 '17 at 23:53
"by inspecting the network transaction" - does this also imply the connection is not protected with an SSL cert? — MrWhite, Jan 07 '17 at 22:47
If the students' addresses are just mail boxes at the campus post office this would be less egregious - but still bad. — emory, Jan 08 '17 at 00:16
@w3d the connection was https but website was using Ajax so I looked into the HTML source and found the clear link it was using. — Ghulam Ali, Jan 08 '17 at 13:27
@emory No it's not mail boxes at campus. It's their personal address. — Ghulam Ali, Jan 08 '17 at 13:28
Usually, anything that's related to the word "exposed" is bad. — Aloha, Jan 08 '17 at 16:22
If/when you report it, I'd suggest highlighting the fact that you can see other student's grades. That's more likely to be a violation than having their addresses public. Twice, I reported similar issues to my previous college, and the issue was always well received and fixed quickly once it got to the right person. — Joshua Dwire, Jan 09 '17 at 02:56
@GhulamAli Just out of curiosity, did you get a chance to report it? If yes, has any action been taken from the admin side? — pri, Jan 10 '17 at 08:09
@PriyankGupta Yes I reported it 4days ago. No reply yet. But the automated response to that email address said that they will respond within 5days. — Ghulam Ali, Jan 10 '17 at 08:50
So I got the reply, the person told me he forwarded my email to relevant department where the issue will be discussed and they will be in touch with me if needed. I will update if I get any further message. — Ghulam Ali, Jan 10 '17 at 22:32

pri · Accepted Answer · 2017-01-04T16:42:07.080

94

I am sorry for my lack of knowledge in this matter.

You shouldn't be.

Is it universally approved practice for universities to expose the name and addresses of students?

As pointed out in comments, it depends on your local laws and regulations. You should certainly check it once. But the way you describe the application(changing the URL to get the details, including the result), it sounds like a bug, which should certainly be reported.

Is it universally approved practice for universities that strong security related to name and address is not important?

No, be it a university or a big MNC or a small enterprise, or your own personal account, security is ALWAYS important.

Is it a severe attack and do I have to report it to them? Or it can be simply ignored?

Yes, you have to report it to the university, as soon as possible. It should not be ignored.

EDIT: As pointed out in comments, there are some universities which do allow students' addresses to be made public.

edited Jan 04 '17 at 16:42

answered Jan 04 '17 at 10:53

pri

4,446
24
31

20

Note that depending on the location of the University this could be a *huge* legal/financial liability... – Jared Smith Jan 04 '17 at 13:42
5

@JaredSmith Or it can be completely ignored, like the case Troy Hunt covered about a website exposing health information in India https://www.troyhunt.com/43-203-indian-patient-pathology-reports-were-left-publicly-exposed-by-health-solutions/ – Maurycy Jan 04 '17 at 15:03
1

As I point out in my answer [below](http://security.stackexchange.com/a/147245/111626), this answer is likely inaccurate. Universities in most Five Eyes countries publicly disclose "directory information" with a possibility of an opt-out. – Jedi Jan 04 '17 at 15:05
1

@Jedi: OP says that he's able to access results as well, while the link you shared suggests that GPA/grades shouldn't be made public. Personally, I wouldn't want to share even my permanent address with the outside world. Also, if there's such a facility by the university, to give out the students' details, then it should be in an elegant way. The way OP describes the situation(registration number in the URL), it sounds like a bug in the website. – pri Jan 04 '17 at 16:14
@PriyankGupta exactly. Universities divide FERPA-class information into two categories "directory" and "private". Grades, DoB is private, contact information and address is not. `No, exposing the names and addresses is a serious breach of privacy.` This statement is hence inaccurate. Exposing names and addresses is allowed by the privacy policy of US/UK/etc. universities. This does not mean that security or privacy of your personal information is not important. OP should check the relevant laws that apply to his country. The upvotes on this answer would mean that Stanford, MIT, CMU are wrong? – Jedi Jan 04 '17 at 16:30
@Jedi: Now that I have an example of Virginia Tech, I have edited the answer. Thanks for your inputs! :) – pri Jan 04 '17 at 16:43
3

@PriyankGupta not to be argumentative but the answer is still inaccurate. It isn't the university that decides. The relevant law, i.e. FERPA in the US requires that `A student's directory information may be released to an inquirer...` and students must individually opt out. Universities could/should be more privacy-sensitive and make it easier to opt out, but to call it a severe attack without knowing the facts is rushing to judgment. OP should first check the relevant laws and how they apply and [fill out a form if needed](https://www.cmu.edu/hub/ferpa.html). – Jedi Jan 04 '17 at 16:56
@PriyankGupta: At the University of Cambridge, grades are public information (they are published on the walls of the Senate House). OTOH, if this is a UK university, the ICO will be distinctly unimpressed. – Martin Bonner supports Monica Jan 04 '17 at 17:53
16

@Jedu At a college I used to work at in the USA, this would be a **huge** deal. We had a student murdered by an abusive ex because somebody gave him info about her that they shouldn't have. Maybe it's not breaking any laws in 99.999% of cases, but that one student that did opt out may have had very good reason. – Kat Jan 04 '17 at 20:36
@JaredSmith most organisations will have a clause in the contract/T&C/etc that basically says you give them permission to do whatever they want with your information to prevent being held liable when glitches like this happen. – Aequitas Jan 05 '17 at 14:05
1

@Aequitas having said contract clause and having it *actually* hold up in court are two different things. Also, universities live and die by recruiting, which is based on public perception. No school would want that kind of PR hit. – Jared Smith Jan 05 '17 at 14:19
@Kat V, The original answer painted with a broad brush, and was hence inaccurate. I have no quarrels with the answer as it stands. It's good to hear about a university taking proactive measures to improve privacy. However, do they back up their actions with a written policy that guarantees this to students? Public perception is overrated. – Jedi Jan 05 '17 at 21:06
Even though many universities operate a public directory, there is often a way to opt-out or for some information to be non-public, precisely because of situations like the one @Kat mentioned. It is, of course, possible that the information here is just exactly the same as that published in a publicly available directory, but that should be investigated as part of determining the severity of this vulnerability. – Zach Lipton Jan 07 '17 at 10:42
@MartinBonner big difference between publishing on a wall somewhere and being able to access them online through a possible unintentional website glitch. – user64742 Jan 08 '17 at 19:26
The fundamental problem is violating an expectation of privacy. If students expect the school to make their address public when they give the school that information there is no problem. If they don't, and the school lets them be exposed, it's a serious problem. The local laws just define how much trouble the school is in. Even if they didn't apply there is a moral imperative here. – candied_orange Jan 09 '17 at 12:43
If the college decides to make the info public by default, they should explicitly mention it while admitting the students, so that the students aren't under any kind of false impression. – pri Jan 10 '17 at 08:06

score 50 · Answer 2 · answered Jan 04 '17 at 13:16

This is a vulnerability, the way they have used sequenced guessable numbers to access records is a class of vulnerability called Insecure Direct Object Reference and is featured in the OWASP Top 10 (https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References)

Depending on where in the world you live, the university may be contravening data protection laws. At the very least it is poor data control and violates your personal privacy, you should certainly tell them about this.

score 25 · Answer 3 · answered Jan 05 '17 at 16:06

Since the university is in the UK, this is almost certainly a breach of the DPA 1998. That is, this is not narrowly a ‘security’ issue.

A student home address would certainly count as ‘personal data’ within the terms of the Act. The fact that you can retrieve the data in this way is, I'm very sure, a violation of principle 7, and probably 6 and 8 as well). The principles are that personal data must be

fairly and lawfully processed;
processed for limited purposes;
adequate, relevant and not excessive;
accurate;
not kept for longer than is necessary;
processed in line with users’ rights;
secure; and
not transferred outwith the EEA.

The fact that you had to very mildly hack this to get the information doesn't change things: it means that it isn't secure. Principle 7, in full, is ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

A final degree classification would count as public data, in the sense that part of your contract with the university is that they would tell people that you've graduated. Internal/intermediate marks would probably not count as public data (and that ‘probably’ means that there would have to be a positive argument that they did count as public, before it was OK to make them available like this).

The university should have a DPA office/officer who will go ballistic when you report this to them (and I think you should), and should be able to get very senior pressure applied to change it. They might not seem to make much of a fuss in response to your report, but I hope they would take immediate action internally. If they don't fix it promptly (or perhaps even if you don't see immediate evidence that they have done so), then a report to the ICO, as suggested by @daiscog's comment, would be proper.

Regarding the question of reporting this anonymously, you could if you want, but I would hope it wouldn't matter, and that the DP Office would be appropriately discreet (this is very much their problem, not yours). If there were any comeback, I'm sure the ICO would be extremely interested to hear about that.

I'm in effect the DP officer in our (UK) university department, and I know how I or the university DP office would respond to hearing about this.

(I originally posted this as a comment, but on reflection expanded it into an answer)

Jedi · Answer 4 · 2017-01-04T17:08:22.380

8

It's possible that it is by design, and not thought of as leakage of sensitive information. If you were to look at directories online, MIT, CMU, Stanford, and any others I think of all publicly list students and staff directories.

Universities in the United States are generally more concerned about FERPA, which protects student education records.

"Directory information" such as name, address, enrollment status and dates are not protected by default. Here's a good list of what qualifies as directory information and can be revealed to the public. The relevant stipulation reads:

A student's directory information may be released to an inquirer, outside the University, unless the student specifically requests that directory information be withheld.

If I were you, I would look around for a privacy policy before contacting the university. It is likely intentional. Your university likely has an opt-out clause to protect your directory information.

Also, most websites have their directories on do-not-crawl lists so that your records are not online on search engines. You may wish to check the robots.txt.

That being said, grades should never be disclosed. In practice, under a rare FERPA case, grades refer to letter/transcript grades and not individual classroom scores which are sometimes considered to be "lecturer notes".

edited Jan 04 '17 at 17:08

answered Jan 04 '17 at 14:28

Jedi

3,936
2
24
42

7

None of the university pages you linked show student or staff addresses. They only show student names, campus id's, and school emails. – Yay295 Jan 04 '17 at 16:10
2

To support @Jedi, I can confirm that Virginia Tech certainly shows student addresses of anyone who doesn't opt-out. search.vt.edu/people.jsp – HammerN'Songs Jan 04 '17 at 16:25
3

@Yay295: searching for Aiken on Stanford's directory [gives me all his information](https://stanfordwho.stanford.edu/SWApp/detailAction.do?key=DS036G974&search=aiken&soundex=&stanfordonly=&affilfilter=everyone&filters=closed) (not sure if the link will persist). My university reveals my details and I followed up with them to learn about the relevant FERPA sections. – Jedi Jan 04 '17 at 16:35
1

@Jedi, that appears to be the exception, not the rule. I checked 100 random results, and only 4 of them showed their home address. If you had to opt-out to hide this information, I would have expected it to be higher, so it seems likely that these people have specifically chosen to release their home address. – Yay295 Jan 04 '17 at 17:32
1

Up until 2014 MIT displayed all this info in its directory https://thetech.com/2014/07/09/mitpeople-v134-n29 – raphael Jan 04 '17 at 17:33
@Yay295 the way it works at my university (for home addresses / telephone numbers) is that you fill out a form providing the information to the university, which you typically do as faculty, staff or a paid teaching/research assistant. My point is not that displaying address information is widespread/common, but that it is lawful. I quote the relevant portions of FERPA that are applicable. – Jedi Jan 04 '17 at 17:38
6

robots.txt is not a security measure (in particular when it says "dear google, please don't look at supersecretpage", this may rather help attackers to find it) – Hagen von Eitzen Jan 04 '17 at 19:34
@HagenvonEitzen good point. In this case it is used as intended. It is meant to prevent indexing of contact information by "nice" crawlers so they don't turn up on a Google search for example. – Jedi Jan 04 '17 at 20:58
Even though OP did only explicitly ask about directory information, in my opinion you should put more emphasis on your last paragraph: By linking other information to the directory information, this becomes a huge issue which should be addressed! – I'm with Monica Jan 05 '17 at 09:19
1

This answer is incorrect. The OP is in the UK and therefore UK/EEA/EU laws apply. Personal information is any data, or combination of data, that can be used to identify and individual, which name and address certainly is. This data should never have been released. – Ben Jan 08 '17 at 09:00
@Ben, I missed OP's location update. I will update the answer accordingly to indicate that it only holds for the USA. – Jedi Jan 08 '17 at 13:22

score 5 · Answer 5 · answered Jan 04 '17 at 17:06

Although an answer has been accepted and both Priyank and Iain make some good points, I think its worth looking at the question of whether this is sensitive data in more depth.

First off, there is something of a difference between exam results (typically a student will have many exams during their course of study) and qualifications (i.e. the final award by the institution). So it is also possible to infer whether an individual is currently a student.

This information opens the door to all sorts of targeted phishing - people pretending to be a student loan provider, offering refinancing or pretending to be official alumni organizations.

It is also a great asset for identity fraud. While I've never come across a wish-it-was-two-factor question about higher education ("What was our first school" still seems common) such a facility would facilitate fraudulent job/credit applications.

Hence, the question about whether this falls within the organizations privacy policy or local regulation is moot: it constitutes a dereliction of the providers duty of care to their students/graduates.

But the flip side of this is that it seems crazy to me that the only way I can prove what degrees I have to someone who asks (e.g. a prospective employer) is to show them a bit of paper (relatively easy to fake). But I imagine that most people reading this would be able to think simple, effective solutions to securely revealing such information.

IME companies simply call the school to confirm graduation. I only recall an overseas jobs asking for transcripts due to a law. Never in the states. — Deek, Jan 05 '17 at 06:50

score 4 · Answer 6 · answered Jan 05 '17 at 08:44

4

Personally, I am mostly concerned that the system reveals the registration ID of the students.

I don't know how things are at your university, but in my time as a student, we wrote the RI on our exam answer sheets so that the graders wouldn't know who was who.

At your university, the graders can look up who is who and that is, in my opinion, a severe security breach.

answered Jan 05 '17 at 08:44

Stig Hemmer

2,413
10
14

Faculty can look up registration IDs anyway--at any university I've worked at, and I'm sure anywhere else. How else would the grades be associated with the right student? The point is that, while grading, they don't know who the number corresponds to, to reduce unconscious bias. – Nick Matteo Jan 06 '17 at 18:52

score 3 · Answer 7 · answered Jan 06 '17 at 02:46

If the information on student grades can personally identify an individual, this is almost certainly an issue. If on the other hand, all you can see are the grades associated with some unknown individual i.e. associated with some number, but you cannot determine precisely who that number represents, then it may not be considered a security issue as it could be argued the data has been anonymised. A lot depends on the privacy legislation in effect (most likely the UK legislation, but this can be affected by the country where the data is hosted/located and the privacy policies of the institution. For example, students might be required to agree to allowing their result data being made public as part of the terms and conditions of enrolment. However, this is unlikely.

Most countries have privacy legislation which determine what is considered to be private or personal information and in some cases, impose additional responsibilities on the hosting organisation with respect to what level of permission they must obtain from the individual to make data public and what actions they must take should data be accidentally disclosed or breached via some sort of security failure. For example, in the US, if a company has an incident where personal data is either deliberately or accidentally compromised and that data has possible financial implications, such as exposure of credit card details, the organisation is required to provide credit monitoring services to affected individuals for a period of time. Some countries also have mandatory data breach reporting and notification legislation, which requires the organisation to notify individuals and often a central authority when data has been compromised.

Unfortunately, governments have struggled to develop clear and consistent legislation relating to privacy and to maintain legislation which is able to keep pace with technology. There are significant differences between countries with different emphasis and objectives. For example, the US has considerable policies relating to privacy and mandatory reporting, but they also have legislation relating to homeland security and anti-terrorism which some feel compromises personal data privacy. Germany and a number of other European countries have vary strong legislation to protect personal privacy. Australia has relatively recently updated personal privacy legislation, but is struggling to introduce mandatory data breach reporting legislation etc.

From your description, I suspect that you have indeed discovered a data access vulnerability and you should almost certainly report it to the University. Unfortunately, it isn't always easy to find out how to report such issues. The first place to check would be to look at the organisation's privacy policy. It is also likely the UK has a central authority, such as a privacy ombudsmen, which you could also report this issue to.

You should also be aware that you need to be vary careful about accessing this data, especially using the URL manipulation technique you described or providing specific details regarding how to access the data. In some countries, it could be argued that you have broken the law and you could be charged with 'hacking'. The pace of technical change combined with a lack of understanding within the legislative and judicial systems has resulted in some poorly drafted legislation and legal interpretation of that legislation. There have been a number of cases where individuals have been charged for publicising data access vulnerabilities. While such charges usually don't result in a conviction, the potential hassles this sort of charge bring with it are best avoided.

score 3 · Answer 8 · answered Jan 08 '17 at 10:25

3

Indeed. Especially if the university agrees to keep such information private, this could be a huge violation of their own policies.

answered Jan 08 '17 at 10:25

user135650

31
1

score 2 · Answer 9 · answered Jan 06 '17 at 08:44

2

In the US, merely writing a simple script that scrapes such info can get you a 3.5 year sentence. If the university did no intend to make this info public, it will be considered a vulnerability.

answered Jan 06 '17 at 08:44

iyrin

121
2

+1 This was the answer I was thinking of. Sometimes, merely accessing a "protected" system to see anyone else's private data, no matter how lax security may be, there's always a risk that the hacker will be fined, jailed, or both. – phyrfox Jan 08 '17 at 23:00

Is it a security vulnerability if the addresses of university students are exposed?

9 Answers9