Georgia Tech is hackable — here’s how to protect yourself.
Thanks to The Technique for covering this story.
UPDATES ON THE STORY
[03/28/2018]: It appears that the vulnerable login feature has been disabled, as of today. Patching is complete. Redacted portions of the post have been restored.
[03/28/2018]: According to a credible source, GT CyberSecurity responded that they are aware of the issue and implementing a fix by the end of the day today.
[03/27/2018]: Portions of the article have been voluntarily redacted until further notice, as a safety measure.
Disclaimer: This article contains a serious vulnerability disclosure and is intended for educational and safety purposes only. Do not attempt to violate any Institute policies or laws in your jurisdiction, or make use of this knowledge for malicious purposes — doing so would be unethical and of course, illegal. I hereby waive any personal responsibility and liability in the form of injury, damage or any consequences arising from your actions, should you get yourself “in trouble” by attempting to do anything unlawful or that which is prohibited by Georgia Tech’s policies, or otherwise.
As a Security Researcher and an ethical hacker, I am morally bound by an informal, generally-accepted “code of ethics” practiced by others in the industry — most notably, first notifying the vulnerable software provider and/or product owner of the security weakness, and giving them a fair amount of time to patch the vulnerability (~60-90 days) prior to making the vulnerability public knowledge. I have followed the same “standard” practice, with the exception of providing a very generous grace period — over 13 months. The disclosure timeline can be referred to at the bottom of this page.
My intent for posting this security advisory is motivated by my desire to notify every member of the Georgia Tech community — faculty, students, staff, prospective applications and alumni, to safeguard themselves immediately. The need for the disclosure is vital as well over 1 year has elapsed since the Institute was first made aware of vulnerability and no policy changes seem to have been implemented. It is also unclear if any patch(es) or randomized-PIN resets have been applied by the Georgia Tech administration to…
