A third-party vulnerability exposed admission records, essays, transcripts and sensitive personal information of Stanford University students, including Social Security numbers, ethnicity, legacy status, home address, citizenship, criminal record and financial situation, writes The Stanford Daily.
The university has been using NolijWeb, the vulnerable content management system, for about 10 years but now plans to find another platform to host its files. NolijWeb is a highly popular platform among schools and universities to let students access school files, and other institutions could be dealing with the same vulnerability.
The glitch has apparently has leaked student files since 2015. Students who submitted requests under the Family Educational Rights and Privacy Act (FERPA) could not only see their own education records, but those of other students as well. The vulnerability was detected and investigated by a student who gained access to the data by simply changing numeric IDs in the URL. It could have been manipulated by anyone with web development experience, the student explained.
“It wasn’t anything sophisticated. You change the ID slightly and it just gives you someone else’s records,” the student said.
During the investigation, the student looked at 81 students’ records between Jan. 28 and 29, but the security incident has been mitigated in the meantime. In total, 93 students were affected by the breach and are to be informed by the university.
According to Stanford spokesperson Brad Hayward, so far no other “instances of unauthorized viewing” have been detected.
“Exploiting this vulnerability requires an authenticated student login and specific knowledge of the application’s underlying behavior,” Hayward wrote for The Stanford Daily. “We believe this to be the first report of the issue. We regret this vulnerability in our system and apologize to those whose records were inappropriately viewed. We have worked to remedy the situation as quickly as possible and will continue working to better protect our systems and data.”
As soon as the glitch was detected, the platform was disabled until further notice.