Reading @_TeaMp0isoN_’s Twitter timeline last night and this morning was somewhat disheartening. Tweet after tweet identified vulnerabilities that would enable hackers access to universities’ sites. For each school named, TeaMp0isoN indicated the type of vulnerability they had found and the vulnerable url. In some cases, if the university has a Twitter account, TeaMp0isoN included their Twitter account in the tweet to call their attention to their vulnerability. No data was dumped and many of the subdomains likely do not contain sensitive information, but once you’ve gotten in a door…
Rather than compound problems, I’m not linking to any vulnerable urls and am only naming the schools and type of vulnerability TeaMp0isoN reported. I should point out that it was not just the education sector they tweeted about last night – there were numerous tweets from other sectors, too. And yes, I realize that these problems are pretty common. But still…
Not surprisingly, within hours of @_TeaMp0isoN_ tweeting about a Harvard vulnerability, this happened:
@Harvard Can you explain why you have something called “brainwashing” in your database? @_TeaMp0isoN_
— CryptoSec™ (@CryptoSecurityz) April 12, 2015
So here’s the list of schools with the types of vulnerabilities detected:
Baptist Bible College – SQLi Vuln
Bucknell University – SQLi Vuln
California State University – SQLi Vuln
Cambridge University – SQLi Vuln
Case Western University of Law – SQLi Vuln
Harvard University – SQLi Vuln
Illinois institute of Technology – XSS Vuln
John Hopkins (Black students Union) – LFI vuln
Nassau University – SQLi Vuln
Northern Illinois University – SQLi Vuln
Ohio State University – SQLi Vuln
Plano Independent School District – XSS Vuln
Princeton University – SQLi Vuln
Spelman College – XSS Vuln
Stanford University – XSS Vuln
Stirling University – SQLi Vuln
University of California – Irvine: SQLi Vuln
University of Miami – SQLi Vuln
University of South Carolina – SQLi Vuln
University of Sydney – XSS Vuln
University of Texas – XSS Vuln
University of Texas – SQLi Vuln
Hopefully, the schools will follow up before others exploit the vulnerabilities.