A vulnerability in the system that allows Stanford University students to view their records gave one student the ability to view the Common Applications and high school transcripts of other students. The key was to first request the ability to view their admission documents under the Family Educational Rights and Privacy Act (FERPA).
A wide variety of data was visible through the vulnerability: students' Social Security numbers, ethnicity, legacy status, home address, citizenship status, criminal status, standardized test scores, personal essays, official standardized test scores, and whether they applied for financial aid.
In the process of researching the vulnerability, the student was able to see information on a total of 81 students. Others doing research found information on an additional dozen students. In every case, the information was released through a URL involving an ID number, rather than searching for the student info by name or other information. The university says it will inform the 93 students affected of the breach.
The system, NolijWeb, has been patched. Student researchers and the student newspaper followed responsible disclosure guidlines in reporting the vulnerability and breach.
Read more here.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.