On Tuesday, July 21 around 11 pm Pacific, I stumbled across a serious information security flaw in DuckWeb, the University of Oregon’s student information portal. For some of the work I’ve been doing with Publish2, I’ve been paying close attention to the composition and beauty of URLs. When printing out my degree audit for a trip down to Eugene the next day, I realised that the print version of the degree audit had a unique string of digits at the end of the URL. Curious, I changed the last two, refreshed, and ended up with someone else’s degree audit.
Now, I believe this is what security experts might call a “really stupid programming error.” Better yet, I found out that I could log out of DuckWeb and, with the URL I had copied and pasted into a text file, still access the print view of my degree audit.
According to an article published today in the Daily Emerald:
The glitch originated in the system the University uses to upload degree audits. All degree audits for which information has changed on a given day are uploaded simultaneously that night and assigned what [University registrar Sue] Eveland said is a randomly-generated nine-digit number called a batch number. That number is at the end of the URL for the printer-friendly version of the audit and it is the one Bachhuber used to access the degree audits.
Eveland said only the first audit uploaded on a given night was accessible through the glitch. She also said the University removes the data tied to the batch numbers every 30 days, which she said means that only “15 to 20” audits would have been available to those who knew about the glitch at any given time during a 30-day period.
To correct the facts stated in the article, I originally emailed both the Registrar’s office and University IT Help late Tuesday night. I didn’t expect a prompt response during the summer, and was pleasantly surprised at how quickly they both responded to my email and acted on the flaw (by first disabling the print functionality and then later adding a patch). One of the people I corresponded with credited the screencast I originally made of the exploit as “very valuable in [their] initial testing.” Additionally, I did not look at the degree audits of three other students.
If I were doing the reporting on the story, I would also vet the claims of the University in regards to the number of student records you could access with the exploit. Only allowing “15 to 20” student records to be publicly accessible to anyone is still in violation of FERPA and, depending on how the system works, the exploit could have allowed access to different student records at different periods of time. I’m pretty sure that I’ve been able to print my degree audit the entire time I’ve been at the University of Oregon.