Security lapse makes GPAs visible

Security lapse makes GPAs visible
Security lapse makes GPAs visible

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Alex Tomchak Scott 
News Editor
Oregon Daily Emerald
August 3, 2009

The University has fixed a security breach in its DuckWeb system after a 
student used it to look at three other students=E2=80=99 degree audits.

The hole in DuckWeb=E2=80=99s security allowed Web users to view certain other 
students=E2=80=99 degree audits by changing digits in the URL for a 
printer-friendly version of their own audits, which contain information 
about a student=E2=80=99s grades and his or her progress toward a degree.

The student who discovered the breach was Daniel Bachhuber, a former 
Emerald employee, who then called the University to alert officials of 
the glitch July 22.

University registrar Sue Eveland estimated that the breach, which has 
since been repaired, would have made at most 20 different students=E2=80=99 
degree audits visible to those who manipulated the URL.

The glitch originated in the system the University uses to upload degree 
audits. All degree audits for which information has changed on a given 
day are uploaded simultaneously that night and assigned what Eveland 
said is a randomly-generated nine-digit number called a batch number. 
That number is at the end of the URL for the printer-friendly version of 
the audit and it is the one Bachhuber used to access the degree audits.


Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods