Software flaw allows Stanford students to view Social Security numbers, applications of other students
A student at Stanford University tipped off IT officials earlier this month to a software vulnerability that allowed any student to view the university application data of other students, including Social Security numbers, standardized test scores and personal essays.
The anonymous student who made the discovery accessed the university application data of 81 other students while testing the vulnerability’s extent, according to the Stanford Daily, the university’s newspaper. Students who requested access to their own undergraduate application data via the Family Educational Rights and Privacy Act had been able to manually change a numerical ID in the URL to gain direct access to other student records.
The system, called NolijWeb, has been used by the university since 2009 and has been accessible by students since 2015.
In a statement emailed to StateScoop, a university spokesperson said a total of 93 records had been accessed — 81 by the first student and the remainder by a second student who learned of the vulnerability from the first student.
“Thus far, we have not identified any other instances of unauthorized viewing, though our review is continuing,” university spokesperson E.J. Miranda said. “The privacy of records is deeply important to Stanford, and we will be notifying individuals whose records were viewed.”
Other personal information accessible through the portal includes ethnicity, legacy status, home address, citizenship status, criminal status, financial aid information, and 300-word summaries of students written by Stanford admissions counselors.
The school’s IT department told Stanford Daily the vulnerability had not been detected previously because its regular audits of third-party software do not look at scenarios involving authenticated users. A spokesman told the paper other instances of students abusing the flaw have not been detected.
“We regret this vulnerability in our system and apologize to those whose records were inappropriately viewed,” Miranda said. “We have worked to remedy the situation as quickly as possible and will continue working to better protect our systems and data. Finding and fixing vulnerabilities before adversaries discover and exploit them is an ongoing and essential activity in systems management.”
Editor’s Note: Additional details were added to this story shortly after publication.