The other day I discovered a flaw with the University of Ottawa website. In essence, it allowed any one of it’s 30,000+ students to hijack their student directory page to upload malicious code. This was not in the realm of the theoretical, it had only taken me a matter of minutes to set-up the following fake phishing example. Whenever someone would visit my student page, they would be treated to a pop-up window that would ask them to log-in to their university account again.
Putting their mouse over the pop-up would produce a warning that the log-in prompt was a fake:
It’s classic cross-site scripting. It would be obvious to some that this was a phishing attempt, but not to everyone. The solution was simple too: sanitize text. I sent an email to the head webmaster of UOttawa, but she never got back to me. Great! With the person supposed to care not giving a shit, I decided to go through the regular support channels all students use. Lo-and-behold, they sent this:
Mr. McArdle,
Thanks for submitting the problem to us and for the information you gave us. Have you spotted any such record that have exploited the vulnerability?
I lied and told them no. I didn’t want to mention the demonstration I had made. Then I was worried it was a mistake. A week had passed, and the vulnerability was still in place. This morning, I got this:
Mr. McArdle,
Thanks for the feedback. I”ve assigned the problem to the group in charge of InfoWeb.
So hopefully, hopefully, they’ll do something about this. But what are the odds? I honestly don’t think anything will be done. That’s the problem about security: too few care. There’s lots of students at Ottawa U., and it wouldn’t take a genious to figure out what I did. And I’m a frickin’ physical geography student – not anything remotely close to computer science!
Update: I got the following message today…
Mr. McArdle,
Thank you for your astute observations and honesty and integrity in revealing the gap. This is a known bug and with a known solution and we are in the process of correction by [removed.]
Thanks again for reminding us of this urgency.