USC admissions site cracked wide open
A programming error in the University of Southern California's online system for accepting applications from prospective students left the personal information of users publicly accessible, school officials confirmed this week.
The flaw put at risk "hundreds of thousands" of records containing personal information, including names, birth dates, addresses and social-security numbers, according to the person who discovered the vulnerability. The Web programming error allowed the discoverer, who asked only to be identified by the alias "Sap," to slip commands to the site's database through the log-in interface. "The authentication process can be bypassed, and you can find the information for any student who has filled out an application online," said the discoverer, who claimed to be a security-savvy student who found the flaw during the process of applying to USC, stated in an email to SecurityFocus. "From there, you can view or change profile info, (and get) the person's user name and password combo. Entire tables can be exposed, remote command execution, you name it. Basically, they are owned."