[ISN] Security lapse makes GPAs visible

From: InfoSec News <alerts_at_private>
Date: Tue, 4 Aug 2009 00:08:44 -0500 (CDT)
http://www.dailyemerald.com/news/security-lapse-makes-gpas-visible-1.236115

By Alex Tomchak Scott 
News Editor
Oregon Daily Emerald
August 3, 2009

The University has fixed a security breach in its DuckWeb system after a 
student used it to look at three other students’ degree audits.

The hole in DuckWeb’s security allowed Web users to view certain other 
students’ degree audits by changing digits in the URL for a 
printer-friendly version of their own audits, which contain information 
about a student’s grades and his or her progress toward a degree.

The student who discovered the breach was Daniel Bachhuber, a former 
Emerald employee, who then called the University to alert officials of 
the glitch July 22.

University registrar Sue Eveland estimated that the breach, which has 
since been repaired, would have made at most 20 different students’ 
degree audits visible to those who manipulated the URL.

The glitch originated in the system the University uses to upload degree 
audits. All degree audits for which information has changed on a given 
day are uploaded simultaneously that night and assigned what Eveland 
said is a randomly-generated nine-digit number called a batch number. 
That number is at the end of the URL for the printer-friendly version of 
the audit and it is the one Bachhuber used to access the degree audits.

[...]


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org 
Received on Mon Aug 03 2009 - 22:08:44 PDT

This archive was generated by hypermail 2.2.0 : Mon Aug 03 2009 - 22:14:01 PDT