1

Tl;Dr: I found a serious security threat in my Math department's grading system and I am not sure how to convince them to take it seriously.

I was a bit bored during a lecture so I decided to test my University's Math department grading system. I entered my username, I'll call it "Foo" as well as my password, "Foo123". The system logged in normally. Next, I used "Foo" again as username and "Foo1234" as a password. To my surprise, the system logged in! I was very intrigued at this point and so I tried again with "Foo123wkfjdbwkefbkwdhfbwkfbwkdbw" and again it logged in!

I think that the department saves the password in raw format(instead of a hash) because they clearly use a version of x.contains(real_raw_password). For example, when I posted "Foo123wkfjdbwkefbkwdhfbwkfbwkdbw", I am guessing the back-end did something along the lines of:

if ("Foo123wkfjdbwkefbkwdhfbwkfbwkdbw".contains(ActualPasswordString)):Login() This is a very serious security threat that I think they should address, both because 1) They store the password as raw text and 2) They use a .contains on the actual string sent, when in reality I can send a string with different combinations of passwords and it would return true if any substring returns exists in it.

However, I am not sure how to approach the department and convince them that they need to address it. Any tips on how to approach it especially that it is not a CS department?

Coconut
  • 11
  • 1
  • Even if it's not a CS department they have administrators. Just write them an e-mail explaining what the problem is. – Arminius Mar 24 '17 at 18:00
  • 1
    Doesn't sound like a huge issue, i mean I bet if you try wkfjdF00123 it will not log in. – daniel Mar 24 '17 at 18:02
  • Depending on what your concerns are with reporting the issue you can find tons of posts by [using the search function](https://security.stackexchange.com/search?q=how+do+i+report). – Arminius Mar 24 '17 at 18:07
  • 2
    As daniel points out, the more likely back-end is not "passwordentry.contains(password)" but rather "passwordentry[0:8] == password". Still not great, because it enforces that all passwords are weak, but truncation is far more likely than what you suspect. – Ben Mar 24 '17 at 18:51

1 Answers1

1

Most universities have a cyber security team or at least person, often attached to their IT department, to report findings like that. If all else fails, Call their help desk and ask who to report computer security problems.

ex-university-cyber-guy
  • 21
  • 1