Thanks to The Technique for covering this story.
UPDATES ON THE STORY
[03/28/2018]: It appears that the vulnerable login feature has been disabled, as of today. Patching is complete. Redacted portions of the post have been restored.
[03/28/2018]: According to a credible source, GT CyberSecurity responded that they are aware of the issue and implementing a fix by the end of the day today.
[03/27/2018]: Portions of the article have been voluntarily redacted until further notice, as a safety measure.
Disclaimer: This article contains a serious vulnerability disclosure and is intended for educational and safety purposes only. Do not attempt to violate any Institute policies or laws in your jurisdiction, or make use of this knowledge for malicious purposes — doing so would be unethical and of course, illegal. I hereby waive any personal responsibility and liability in the form of injury, damage or any consequences arising from your actions, should you get yourself “in trouble” by attempting to do anything unlawful or that which is prohibited by Georgia Tech’s policies, or otherwise.
As a Security Researcher and an ethical hacker, I am morally bound by an informal, generally-accepted “code of ethics” practiced by others in the industry — most notably, first notifying the vulnerable software provider and/or product owner of the security weakness, and giving them a fair amount of time to patch the vulnerability (~60-90 days) prior to making the vulnerability public knowledge. I have followed the same “standard” practice, with the exception of providing a very generous grace period — over 13 months. The disclosure timeline can be referred to at the bottom of this page.
My intent for posting this security advisory is motivated by my desire to notify every member of the Georgia Tech community — faculty, students, staff, prospective applications and alumni, to safeguard themselves immediately. The need for the disclosure is vital as well over 1 year has elapsed since the Institute was first made aware of vulnerability and no policy changes seem to have been implemented. It is also unclear if any patch(es) or randomized-PIN resets have been applied by the Georgia Tech administration to safeguard older (i.e. alumni) accounts.
Moreover, by not patching this critical flaw, the Institute may be in violation of the Family Educational Rights and Privacy Act (FERPA) especially if any sensitive student information — including but not limited to, grades, courses taken, full name(s), financial aid status, billing records, social security number(s), addresses(s) and other Personally Identifiable Information (PII) was disclosed in an unauthorized manner.
If you happen to come across any vulnerabilities at Georgia Tech, you are strongly encouraged to notify the Institute immediately at the following link(s):
- Vulnerability Reporting: https://security.gatech.edu/report-vulnerability
- Responsible Disclosure Policy: https://policylibrary.gatech.edu/information-technology/responsible-disclosure-policy
Given my profession, my curiosity leads me to places which only seem so “secure”. While majority of my security research activities focus on ethically discovering technical flaws, the one described here is rather a flaw in the policymaking process and the workflow implemented by the Institute when creating new accounts and “securing” them — it is the result of oversight and negligence, to say the very least.
Georgia Tech is one of the most prestigious universities in the world, let alone the U.S., and is consistently ranked as such. I’m a proud Yellow Jacket myself. The Institute has a track record of producing groundbreaking research and some of the brightest minds — notable alumni who have been very successful in their fields, including the former U.S. President, Jimmy Carter — and this detail is relevant to the story.
Entities affected by this vulnerability include:
- Famous GT members — including current and former (alumni) students, celebrities, and staff of the Institute whose information, such as Date of Birth, is public, and/or,
- Current and former members whose Date of Birth is well known (for example, your family/friend(s)) and who have never logged into OSCAR directly using PIN-based login (i.e. they have always used BuzzPort’s automatic single-sign on (SSO)).
- GT Rejects or Former Applicants — those who were denied an admission, or those who refused to enroll at Georgia Tech, after being offered an admission. Their information, including Social Security Number (SSN), Date of Birth, addresses, admission status, etc. may remain in the system.
Georgia Tech primarily uses 3 information systems that are the powerhouse of the Institute’s IT infrastructure — that means everything. The systems assist with authentication/access management, billing (yes, keeping banking information too), class registration, grade submissions and retrievals, enrollment verifications, transcript ordering, financial aid processing, payments, tax documents, admissions and other confidential records.
- Passport — An Identity and Access Management (IAM) solution that lets you setup your username/alias(es), e-mail account, 2 Factor Authentication (2FA), password, emergency contact information, etc. Passport credentials power the Single Sign-On (SSO) functionality across GT services and systems.
- OSCAR — The apparently-dated information system, developed by Ellucian Software, which is used in all of the critical actions and for record-keeping: registration, grades, billing, financial aid, addresses, SSNs, tax, etc.
- BuzzPort — A central hub using SSO which lets you access Registration/OSCAR and other systems using your Passport credentials.
Normally, as a newly admitted student or member of the community, you will be instructed to create your Passport account, setup your mailbox(es) and log on to BuzzPort — all of this can be achieved by using Passport alone. Meanwhile, your underlying OSCAR account which you will be using for everything — from class registration to tracking your grades to signing up for direct deposit (using banking information), etc., will be created automatically.
OSCAR has at least two entry points:
- You could either log on to BuzzPort, and then click on the Registration / OSCAR link, which will automatically log you into OSCAR using SSO, and display it as an embedded iFrame within Buzzport itself. This is arguably more secure than the second approach listed below.
2. Alternatively, you could go to OSCAR and use the “Secured Access Login (Id & PIN required)” link. This option enables you to log in to OSCAR with your GT ID number and PIN.
This is where the fun begins — for the hacker.
- According to the Registrar’s website, by default, your PIN is your Date of Birth (in MMDDYY format) — when logging into OSCAR for the first time.
- Forgot your GT ID? You can look up your GT ID # just using your name and Date of Birth — here.
Now, you can already imagine how this is going to end up in a disaster — especially for those users who have never logged in to OSCAR using ID/PIN before. And mind you, a lot of the folks would have no reason to — especially since it’s more “standard” to use BuzzPort’s SSO login for various GT services.
Proof of Concept (PoC)
Here’s one of the ways in which the vulnerability can be exploited:
- The attacker googles famous GT alumni whose Date of Birth may be readily available.
Bonus: Step 1 can be omitted if the target is a close acquaintance, who is also a GT member and whose Date of Birth is known, e.g. a Facebook friend or family member.
2. The attacker is able to look up their target’s GT ID # using this convenient tool that only needs a Name and Date of Birth.
3. Once the attacker has obtained the GT ID #, they can use OSCAR’s “Secured Access Login (Id & PIN required)” feature. Assuming the user has never logged in to OSCAR without using BuzzPort, this would almost guarantee a successful outcome.
Potential Data Disclosure
Once the attacker is able to successfully login, the following pieces of information should be available to them —much like with any authorized login:
Note: For demonstration purposes, I have logged in to my account in an authorized manner and removed any sensitive information from the screenshots.
And, that’s just a few examples of the types of information provided by the system. You could, from OSCAR, dive right into financial aid records and Bursar’s billing records, detailing a financial summary of your account. Misuse of a lot of this information can easily lead to identity theft and unauthorized financial transactions.
Warning: OSCAR is exempt from 2FA
To add misery to an already disastrous situation, even if you have two-factor authentication enabled in Passport for BuzzPort and other GT applications, OSCAR remains exempt. You still only need a GT ID # and PIN for OSCAR.
How to Protect yourself ASAP
The best defense against the vulnerability is to log on to OSCAR immediately and change your PIN.
- Visit OSCAR. Click on the “Secured Access Login (Id & PIN required)” link.
- Log in with your GT ID # and PIN (your Date of Birth as MMDDYY, by default).
- Set a new, hard-to-guess PIN.
- Preferably, for extra security, setup new Security Questions with answers which are not public information — yes, that includes Mother’s Maiden Name (depending on where you live, public marriage records may contain this information).
Thankfully, OSCAR will lockout the account if, from this point on, anyone tried to guess your PIN aggressively using bruteforce. Until then, you are at the mercy of the attacker.
Advice to Georgia Tech
- Retire OSCAR’s GTID/PIN-based login functionality altogether. The legacy authentication feature does not appear to support two-factor authentication either. OSCAR can already be accessed securely with the existing BuzzPort SSO system, which supports two-factor authentication.
- If the above solution is not feasible, reset all unchanged OSCAR PINs using, for example a simple database query, to randomized values — not the user’s Date of Birth. The new value may then be securely retrieved by the user either via BuzzPort/Passport or by contacting the Office of Information Technology (OIT) directly. This measure will especially protect older (e.g. alumni) accounts and those of the former applicants, who were denied an admission, declined to accept an offer of admission or otherwise had no reason to log on to OSCAR, in the first place.
- Don’t ignore security advisories and vulnerabilities you are made aware of. Doing so puts all of us at risk.
- Feb 9, 2017: Georgia Tech made aware of the vulnerability and the possible consequences.
- Feb 14, 2017: Georgia Tech acknowledged the receipt of the email and that they were aware of the vulnerability.
- Feb 20, 2018: The policy around retrieving GT ID # using Date of Birth remains intact and so does OSCAR’s default PIN setting.
- Mar 26, 2018: Public disclosure via Medium.
- Mar 28, 2018 ~1:15 PM: Vulnerable login feature disabled by Georgia Tech with OSCAR instance patched.
© 2018. Akshay Sharma.