Sydney Uni exposes student info

Sydney Uni exposes student info

Summary: The University of Sydney has exposed thousands of student details including names, addresses and course information to public access via the internet.

SHARE:
TOPICS: Security
2

The University of Sydney has exposed thousands of student details including names, addresses and course information to public access via the internet.

The details were stored in a way that allowed it to be accessed by altering identification numbers revealed in a university web address.

University of Sydney vice chancellor spokesperson, Andrew Potter, said the details have been pulled offline and the university is investigating the matter.

"We confirmed that method of access was possible and immediately we shut it down," Potter said. "We do not know as yet if details were compromised."

Potter did not rule out contacting students to warn them of the breach, but was unsure if an IT forensic investigation was underway.

A review of logs could reveal if the details were compromised, but industry track records suggest many similar attempts do not.

"It depends on having the right logging, which is seldom the case," HackLabs director Chris Gatford said.

Such vulnerabilities, where data can be accessed by entering sequential numbers into a URL address, are common and are often introduced by software developers.

But common mitigation efforts also fail.

"Developers move the identity from the URL to part of a post request, but it still doesn't mitigate the vulnerability," Gatford said. "You can use a local proxy then to identify that value and do the attack in the post of the request".

The vulnerability was pointed out to the university by the Sydney Morning Herald, which also reported earlier this week that the university's website and corporate web pages had been hacked and defaced.

Topic: Security

Darren Pauli

About Darren Pauli

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • In most cases logging in the web server is turned on so that marketing can audit which web pages are requested most often.

    This vulnerability is caused due to lack of authorization. Furthermore, the webmaster could apply alternate controls such as http://httpd.apache.org/docs/2.2/howto/htaccess.html#auth if appropriate.

    A POST Request is used to submit information via a form, etc - I am not aware of any developers that propose it be used to increase security of a web application.
    cmlh
  • Why there is a skull on the picture?
    DimitriAu