How I Hacked DePauw University Using Hidden Inputs
Thomas Ring

The university’s response really doesn’t surprise me. Such reports make bureaucrats defensive, and it’s typical to want to slay the messenger. There is a history of messenger-slaying in cybersecurity. Look up Randal Schwarz for a notorious case. The bureaucrats only respond positively if they’ve already established a procedure for responding positively, like a published bug bounty policy.

If I understand the original vulnerability correctly, I see why DePauw didn’t worry about it much. As a security person, I’d want to make sure that such carelessness isn’t applied to confidential student records. It seems likely, since a similar vulnerability exists in student scheduling.

It’s like squishing an insect. You can squish ants and get away with it. Squishing a hornet can make a whole nest angry.

Here’s my own ‘security assessment’ on the original vulnerability — it’s no big deal because the stakes are so low. If I followed this correctly,

  • The attack isn’t available to the general public, only to people logged in to the DePauw system.
  • The attack provides credentials for physical access to individual mailboxes, which reside on the DePauw campus.
  • DePauw logs all transactions to retrieve mailbox combinations.

Should this vulnerability exist? No. Is it worth a lot of engineering to fix? That’s a matter of opinion. If it’s an ant, ok. But this seems to reflect deeper flaws in how the university protects student data. Squishing a hornet.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.