Last week, this site compiled a list of universities and colleges that TeaMp0isoN had reported were vulnerable to SQL injection or XSS attacks. This week, I’ve again compiled their tweets into one list.
As I did last week, I am only providing the names of the schools and not the vulnerable urls. This week, however, I am also including universities reported to have XSS vulnerabilities by XSSposed.org.
The hyperlinks below go to reports of past hacks involving the named university. The absence of a link doesn’t mean the entity hasn’t been hacked – only that I don’t find any mention of a hack for them on this blog.
Bucknell University* (SQLi)
Cornell University (XSS)****
Indiana University (XSS)
McGill University (SQLi)
MIT (XSS)
New York University (two XSS vulnerabilities reported)
Princeton University** (XSS)
Stanford University*** (XSS)
Truman State University (SQLi)
University of North Carolina (XSS) (multiple hacks and breaches)
University of Oregon (SQLi)
University of Toronto (reported to have “Multiple SQLi vulnerabilities”)
Vancouver Island University (SQLi)
Wayne State University (SQLi)
Notes:
*Bucknell was also listed last week. This is a second SQLi vulnerability.
** Princeton was also listed last week as having an XSS vulnerability. This is another XSS vulnerability in a different subdomain. XSSposed.org notes 3 unpatched vulnerabilities for this university so far this year.
*** Stanford was also listed last week as having an XSS vulnerability. This is another XSS vulnerability in a different subdomain. XSSposed.org notes 8 unpatched XSS vulnerabilities so far this year. In 2013, the university reported a breach requiring a password reset. In 2014, Daniel Trenton Krueger, one of two leaders of the hacking group known as Team Digi7al, was sentenced for hacking a number of entities, including Stanford. It’s not known to this site if he was the attacker in the 2013 breach or there was a second Stanford hack.
**** Cornell has had other breaches reported on my blog. Most recently, they were hacked in January of this year.
What’s the point of this, you may well ask. Well, I’ve been on a soapbox for years that the EDU sector needs better data security to protect students’ information. Not all these vulnerabilities risk compromising personal information, but it would be nice to see the education sector improve their security – and for some federal agency to actually monitor or take enforcement action against schools that have repeated breaches.
There, I said it again.
Are you listening, U.S Education Department and the FTC? Are you listening, Congress?
I sincerely hope so.
And if your school is on this week’s list and you want more details, see @TeaMp0isoN_ and @xssposed on Twitter.