Sydney Uni exposes student info

The University of Sydney has exposed thousands of student details including names, addresses and course information to public access via the internet.

(Credit: Simon Strangaard, CC2.0, and
Kitty Saturn, public domain)

The details were stored in a way that allowed it to be accessed by altering identification numbers revealed in a university web address.

University of Sydney vice chancellor spokesperson, Andrew Potter, said the details have been pulled offline and the university is investigating the matter.

"We confirmed that method of access was possible and immediately we shut it down," Potter said. "We do not know as yet if details were compromised."

Potter did not rule out contacting students to warn them of the breach, but was unsure if an IT forensic investigation was underway.

A review of logs could reveal if the details were compromised, but industry track records suggest many similar attempts do not.

"It depends on having the right logging, which is seldom the case," HackLabs director Chris Gatford said.

Such vulnerabilities, where data can be accessed by entering sequential numbers into a URL address, are common and are often introduced by software developers.

But common mitigation efforts also fail.

"Developers move the identity from the URL to part of a post request, but it still doesn't mitigate the vulnerability," Gatford said. "You can use a local proxy then to identify that value and do the attack in the post of the request".

The vulnerability was pointed out to the university by the Sydney Morning Herald, which also reported earlier this week that the university's website and corporate web pages had been hacked and defaced.