Postmortem: how a student portal exposed 1,000,000 users’ account information
The expulsion that landed me over 100 news articles, 10 T.V. interviews, and 40 job offers worldwide.
Let’s start with what was leaked — Social Insurance Numbers (SSN equivalent in the US), full names, emails, home addresses, locker combinations, grades, schedules, and Student ID photos. It affected about 1 in every 5 students in Canada. [1]
Don’t fret, all of this happened in January 2013, and the vulnerability has been long since patched. The cost? A student got expelled. If you never heard about the story or want a refresher, I suggest this HN post (comments included for your convenience with the story linked to the original article).
When they told me that my story is going to get featured on a news site, I was determined to show appreciation to every supportive comment and to elaborate my situation by replying to the negative ones. I thought the article was going to get 1000 views tops. I was gravely mistaken.
Shortly after the first article went up around 2 in the morning, friends and family reached out to me telling me that I’m in the news. I had to sleep that night because I was told there would be a follow up on a local radio station in the morning. Safe to say that I couldn’t sleep at all. I decided to read the comments without being able to do anything because there too many. The whole thing spewed out debates around the internet on the ethics of my actions.
That week has been one of the most exciting time of my life, as well as one of the most stressful. Knowing that millions of people have seen your face or read your story all around the world is definitely something to be proud of (at least for me).
I can write a lot more about my reactions at the time. However this post will focus more on what the press failed to mention.
Ars Technica once asked how the flaw has been discovered and dealt from a technical aspect. I wasn’t sure if I should tell them at the time, but today I am confident that it shouldn’t be a problem towards Skytech (the company that developed the student portal). So here it is, how I discovered the flaw, explored it’s boundaries, and proposed a patch to this serious issue.
How it all started
It all started in the beginning of the semester when I was solving my own problems. One of the most annoying things about the college portal is that it did not have an auto login feature. Even worse, your session expires after 5 minutes of inactivity. I had to type my student ID and password over and over again just to check common notifications.
The good news is that writing software for the web is very extensible. I can inject Javascript code in any page and make it look and react the way I like it. That’s how I ended up building a browser extension to solve this login issue. Once built, it saved a couple of compsci students and I enourmous time.
Discovery of the loophole
While working on the browser extension, it flew past me on how their codebase (HTML, JS) looked old and deprecated. Curiosity got the best of me: I decided to take my rusty hackthissite.org skills into real use. [2]
I tried to find small mistakes, maybe exposing sensitive data in a string, block comment, or a param in a GET request. At some point while digging, I had my Chrome Dev Tools opened in the Network tab while accessing my grades. I noticed that a weird 302 redirect was happening a few times until it landed me to my grades page. I turned on “preserve log” and did the same process again. I ended up with an URI accepting some sort of encrypted ID, as seen:
“/estd/VerifLogin.ovx?sid=591fae8374813f&redirect=/estd/hrre/grades.ovx”
I knew sid was short for Student ID, but why was it encrypted? I mutated the sid param expecting a 403 but lo’ and behold: I get a 302 to some random user’s grades. Awesome and WTF were my initial reaction.
Dissecting the vulnerability
Notice the sid parameter “591fae8374813f”? That’s my encrypted Student ID. My actual raw sid is “1034786". How did we get from “591fae8374813f” to “1034786" or vice-versa? Can you guess the encryption or decryption method?
I didn’t need to decrypt it. I cheated using the power of brute force. Whenever it returned me a 200 OK status, I was able to read the raw format of an ID. And just like that, I built a decryption table, and was able to access anybody’s data going back to 1998.
I wasn’t able to figure out the encryption algorithm they used. There’s obviously a pattern behind it. I don’t think Skytech spew random static hex numbers depending on the ID. Maybe one of you readers might be able to solve it. If so, you’ll probably need some sample data for this problem. Check footnotes for rules if you are interested. [3][4]
Conclusion
The big nono isn’t that the encryption method is weak, but it’s that anyone could access anyone’s private information with no authentication. All you needed is the URL.
A couple of days after Skytech learned about the exploit, a hotfix was introduced. They refined it by making it harder to decrypt. The actual patch was introduced after further meetings with Skytech. Today, it no longers relies on any encryption methods.
How was something that simple leaking throughout many years? My confidential data along with another million students was just openly accessible by anyone.
The good news is, without reporting the problem to the staff, there wouldn’t be a patch for this flaw. I later got kicked out of the college for pursuing further after they told me to stop. [5]
Today
So what am I doing today? Did I get a job? Did I decide to go back to school?
I’m actually working on a startup I co-founded. We’ve raised a small seed round last August and now looking to grow bigger.
Thanks for reading.
Notes
[1] It was initially reported that 250,000 accounts were exposed. Upon further investigation and internal confirmation, the final numbers were actually higher than 1M.
[2] The transition wasn’t sudden. I started off thinking if we should entrust our data being secure to this poorly built system. I figured nobody would hear me out anyways if I suggest to the IT staff that our system is not secure, so I decided that I would need to get my hands dirty.
[3] The patch has been long fixed and completely changed (not relying on encryption anymore). They have also never disclosed the decryption formula to me, so I don’t know the answer.
[4] You can use this gist (brute force algorithm) to check you answers and generate test cases. The raw SID is always 7 characters long, and it’s composed only of digits. The first 2 characters are the year the user signed up with the portal. For my case, “1034786", states that the user signed up in 2010. The following are valid SIDs: “1133556", “0933556", “1400000". Get cracking.
[5] They wouldn’t let me continue even though I was doing this with openly and documenting everything like a real penetration test. They claimed they have their own professionals pentesting the portal every month and that they will pursue further with my leads. I had read access, and I thought I would only be helping them if I discover write access.
