A student discovered a hole in the university's IT security system last week that granted attackers full access to any university account with only the target's university e-mail address. OIT corrected the problem Friday night.
The system flaw, which Office of Information Technology officials said may have existed for as long as three years, made it possible for anyone to change a user's password by knowing only his or her university account name, which doubles as the user's e-mail address and can be found in the university directory. An attacker or hacker could perform almost any password-protected action, such as dropping classes or logging on as a faculty member and changing course grades.
OIT Director of IT Security Gerry Sneeringer said the software system is tweaked regularly, but the problem could have existed since the current software system was rolled out in 2006.
"What I'm surprised at is that no one's noticed before," he said. "Not just from OIT, but from anywhere. This software's been in use for almost three years."
Sneeringer said it was unlikely the weakness had been exploited because OIT would have received complaints from students and employees unable to log into their accounts, which would have triggered an investigation, he said. Sneeringer said he hasn't dealt with any breaches of this caliber since being hired in 2002, and he said there was no set plan for alerting students to security situations such as this. No alert was sent to university users.
The security gap, if used for malicious purposes, could have caused much damage at first but would have been contained very quickly, he said.
"[The system] is designed so the one password opens most doors," he said, adding that abuse would be relatively easy to trace because the OIT system logs changes to passwords with the time, computer location and process used to change them.
Freshman chemical engineering major Reza Hashemipour happened upon the vulnerability accidentally early last Monday while trying to log onto his Blackboard Academic Suite account. He brought the problem to The Diamondback's attention Thursday, and OIT fixed the error Friday evening after being contacted for this story.
Hashemipour found he could change another person's password without knowing the existing password, the answers to the other user's security questions or the target's university ID or social security number. Once the password was changed, someone could use the new password to access course registration, financial aid information and almost any other information available on most university systems.
"This isn't messing with your Facebook," Hashemipour said. "This is your entire academic career."
Sneeringer said a team of three or four programmers was waiting to correct the problem after a meeting with The Diamondback where reporters showed OIT officials the flaw. The hole was patched by 5 p.m. Friday, according to OIT spokeswoman Phyllis Johnson.
Two weaknesses in the system combined to create the security hole.
First, a bug in the password website allowed an attacker to change another user's password security questions with no special knowledge about the user. To change a forgotten password, a user must correctly answer these security questions and enter his or her social security number and birth date.
The second error allowed an attacker to enter arbitrary answers in the social security number and birth date fields, putting him or her directly through to the security question maintenance page without correctly providing any of the values.
Assistant computer science professor Jeffrey S. Foster said these breaches are frequently caused by multiple small errors existing at the same time.
"Two mistakes in two places wouldn't drastically affect security separately, but the combination of smaller problems, the way they line up, is where a lot of security issues arise," he said.
Sneeringer said that, with the complicated software interactions required to do something like changing a password, the technical problem could be relatively trivial.
"There's some bug in the code where if I do this, this and this, the birthday verification doesn't work," he said. "It could be a matter of one word in the code in the wrong place."
Hashemipour claimed he had not revealed the hole to anyone else, and Sneeringer said that means he is not in any disciplinary danger.
"It's not hacking to just click on a web page and have things happen," Sneeringer said, before adding that a reward for Hashemipour may be in order.
Foster teaches a graduate class on program analysis and said there is no way for OIT to completely shield itself from incidents like this.
"Software is complicated. It's hard to get it right sometimes," he said. "You just can't test every behavior of a software system. It's literally impossible."
Foster cited a similar incident at Harvard University in which applicants could gain access to their admissions decisions before they were notified by the university. When the gap was discovered, Foster said, Harvard denied admission to all applicants who had taken advantage of the glitch.
"If it can happen to Harvard, it can certainly happen here," he said.
abdilldbk@gmail.com
Be the first to comment on this article!
Log in to be able to post comments.