Students can view their colleagues' sensitive information due to a data breach at Stanford University
Private student data that includes admission files and other sensitive details got exposed due to a breach at Stanford University. The vulnerability allowed students to view admission records, essays, personal information, social security numbers, even addresses and criminal records of other students.
Such data was exposed when the numeric ID, that every student receives to access their own files, got changed. When each student requested to view their individual files, they could see the information about their colleagues. The vulnerability was discovered in a third-party content management system NolijWeb by the student who submitted a Family Educational Rights and Privacy Act (FERPA) request.
Additionally, Stanford University uses this system since 2009 and from 2015 students who submit FERPA requests get the ability to view their files through NolijWeb. According to the report about this data breach in The Stanford Daily, Julia Ingram and Hannah Knowles state that tweaking a URL for the FERPA request was the cause of personal data exposure:
Accessible documents contained sensitive personal information including, for some students, Social Security numbers. Other obtainable data included students’ ethnicity, legacy status, home address, citizenship status, criminal status, standardized test scores, personal essays and whether they applied for financial aid. Official standardized test score reports were also accessible.
Total of 93 students got their privacy compromised during the breach
The flaw was discovered at the end of January and between 28th and 29th around 81 students' records got compromised due to the flaw. Stanford reports that the breach was further investigated and 93 affected students will be notified by the authorities. People, who requested their own FERPA files revealed, encountered this flaw and reported it to the authorities. This helped to gather more information about the exposed records.
FERPA is a U.S. federal law which provides parents with specific protection, regarding the information about their kids' education records. Students that are at least 18 years old can request access to sensitive records like academic transcripts, application materials, including student numeric ID.
Stanford admission counselors rate applicants on personal qualities, interviews or various testing results. This rate, legacy status, and summary written by officers can be requested for views and any student that wants to receive printed copies of their admission documents. Furthermore, NolijWeb is the service used to store this information, and a vulnerability in this third-party application lead to data exposure.
Vulnerability in NojiWeb app has been used since 2009
NolijWeb is a popular platform used by many other schools and universities because it helps students to access their school files. It is possible that the vulnerability discovered in this case may affect other institutions in the future. After the mentioned FERPA request and the approval from University, the student gets a link which redirects them to NolijWeb page. After entering their ID into the search bar, students can see their documents.
Although using file identifications in these URLs is a common practice, websites also have other protections and the fact that files were linked through numeric IDs, the flaw didn't allow students to view documents by a specific name. Changing the file's ID number in the URL permitted access to students' data.
However, the student that discovered this flaw was concerned about the fact that Social Security numbers also were accessed and stated that anyone with the right knowledge on web development could have exploited this flaw:
It wasn’t anything sophisticated. You change the ID slightly and it just gives you someone else’s records.