The private data of students at Stanford University was exposed after someone changed a numeric ID in a URL that had been distributed to students who requested access to review their own files, according to The Stanford Daily.
In total, 93 students have been notified that their privacy was compromised. According to the report, a university student made a Family Educational Rights and Privacy Act (FERPA) request to view their admissions documents, not at all unusual.
A Stanford student reportedly found the vulnerability in a third-party system called NolijWeb, a content management system that the university has used to host scanned files since 2009.
The process starts with a users submitting a FERPA request. Then students are directed to a “Student Admission Documents” link on Stanford’s information portal. Once in the portal, users are directed to NolijWeb, where they must enter their personal student IDs in order to search for their personal documents.
These scanned documents include sensitive personal information such as Social Security numbers, home addresses, ethnicity and personal essays, along with citizen and criminal statuses.
“When a user views one of their files, the browser performs a network request. However, a student may use tools like Google Chrome’s 'Inspect Element' – commonly used by programmers to debug websites – to view that network request’s URL and modify it to give them access to another student’s files,” The Stanford Daily wrote.
“Because URLs and files are linked through numeric IDs, the NolijWeb vulnerability did not allow students to retrieve documents by name nor by any other identifying information. Instead, incrementing file ID numbers in URLs allowed access to arbitrary students’ files.”
News of the exposed data was not reported until Stanford University was able to secure a breach, and the individual who disclosed the vulnerability did so on condition of anonymity so that the student would not face legal consequences.
That the student data was accessed by making a change to a numeric IDs in a URL suggests that the number in question was sequential (not random) and therefore could easily be guessed, according to privacy advocate Paul Bischoff of Comparitech.
“The fact that these records were not better secured is a failure of Stanford's IT staff to properly vet third-party software NolijWeb. Students whose records were accessed were put at a high risk of identity theft and fraud. The contents of the files included Social Security numbers, so anyone affected by the breach should immediately place a credit alert on their credit report.”