Stanford Vulnerability Allowed Students to View Other Students

Stanford Vulnerability Allowed Students to View Other Students' Data

Between Jan. 28 and 29, the student briefly accessed the records of 81 students while trying to assess the scope of the vulnerability. The documents were not searchable by name, but were instead accessible by changing a numeric ID in a URL.

  • By Jessica Davis
  • February 20, 2019

The Stanford Daily has reported that a now-fixed security vulnerability allowed Stanford students to view the applications and high school transcripts if they first requested to view their own admission documents under the Family Educational Rights and Privacy Act (FERPA).

The vulnerability was discovered by a student who recently submitted a FERPA request for their own documents in a third-party content management system called NolijWeb.

Between Jan. 28 and 29, the student briefly accessed the records of 81 students while trying to assess the scope of the vulnerability. The documents were not searchable by name, but were instead accessible by changing a numeric ID in a URL.

When a student views one of their files, the URLs and files are linked through numeric IDs. While the vulnerability didn’t allow students to search documents by name or other identifying information, they could change file ID numbers in URLs to access arbitrary students’ files.

“It wasn’t anything sophisticated,” the student said of their methods. The student said anyone with experience in web development could have easily exploited the vulnerability. “You change the ID slightly and it just gives you someone else’s records.”

Accessible documents contained sensitive personal data, potentially including Social Security numbers, ethnicity, home address, citizenship status, criminal status, standardized test scores, personal essays and whether that student applied for financial aid.

According to university spokesperson Brad Hayward, Stanford has not identified other “instances of unauthorized viewing” but is still reviewing the situation. The university will notify the students whose privacy was compromised because of the security flaw.

“We regret this vulnerability in our system and apologize to those whose records were inappropriately viewed,” Hayward wrote in an email to The Daily. “We have worked to remedy the situation as quickly as possible and will continue working to better protect our systems and data.”

Stanford has notified Nolij’s parent company Hyland Software. It’s not clear how many schools using NolijWeb could be subject to the vulnerability.

About the Author

Jessica Davis is the Associate Content Editor for 1105 Media.

Featured

  • Electrified Latch Retraction Locks Key Benefits for Retrofits

    Building owners and facility managers increasingly rely on electrified hardware to enhance security while meeting accessibility standards. Among these technologies, electrified or motorized latch retraction locks are especially effective for retrofit projects where existing door and frame conditions complicate upgrades. Latch retraction capable locks combine security, accessibility and code compliance benefits, making them ideal for retrofitting fire-rated and non-rated openings in schools, healthcare facilities, commercial buildings and more. Read Now

  • How Cloud Security Solutions Are Transforming Campus Safety

    Campus administrators today face a challenging mandate: deliver stronger security across their facilities while working within tighter budget constraints. From school districts focused on student safety to hospitals protecting patients and staff, the question remains the same: how do you build security infrastructure that evolves with your needs without requiring massive capital investments? Read Now

  • Rethinking Campus Security From the Inside

    For decades, campus security strategies focused on keeping threats outside school walls. But since the tragedy at Columbine High School, data has shown that many attacks begin inside the building, often in classrooms and corridors. This shift has prompted schools to rethink security from the inside and place greater emphasis on interior elements such as classroom doors. This shift is evidenced by a new generation of classroom door systems engineered to delay inside intruders and an ASTM standard that raises the bar on how these systems must be designed to defend against attack. Read Now

  • AI in Security: Advancing Campus Safety and Considerations for Implementing

    Artificial intelligence (AI) continues to capture attention across every sector, and the physical security industry is no exception. Once seen as experimental, AI-enabled analytics now underpin how organizations monitor environments, detect threats, and make decisions. What was once futuristic is now a practical necessity for safety professionals managing growing volumes of data, tighter resources, and increasing expectations for faster, more accurate responses. Read Now

Most   Popular