Security loophole discovered in AIM

    142

    By KIMBERLY DEMUCHA

    A student in January stumbled upon a loophole in BYU’s Route Y computer information system which allowed him to access personal data about other students.

    He discovered information such as student Social Security numbers and grades — all within his own Route Y account, said computer science major William Moyes.

    Moyes, 23, a senior from Valencia Calif., said he discovered these security breaches in the Academic Information Management system, which allows students to view grades, class schedules and other academic information.

    On Jan. 11, when Moyes logged onto the AIM system of Route Y he saw the number 555-55-5555, instead of his own Social Security number. When he accessed the academic information report for the bogus student ID numbers, he got what appeared to be a generic test account.

    Moyes found that he could type the Social Security number of another student in the AIM URL and retrieve his or her academic information report, all from Moyes’ own Route Y account.

    Normally a login name and corresponding password from a student’s Route Y account are needed to get personal academic information.

    Moyes’ concern led him to the page source, or JavaScript, to see what was allowing him access. Each Internet page is written in HTML code, which can be easily viewed.

    While investigating the problem, Moyes said he found an address written into the page source that would disclose a listing of all students by name, Social Security number and birth date.

    Though access was available to this sensitive information, nothing could be altered in anyway, Moyes said.

    Moyes called IT services Jan. 12 to report the problem. IT services removed the written address from the page source but access to the site was still available. Anyone who had the address before that time could still view the page containing Social Security numbers, birth dates and names of students, he said.

    After two weeks the problem still had not been corrected, so Moyes said he again contacted IT services.

    The problem was fixed after three weeks, Moyes said.

    “With a hole like this someone could potentially harvest all of the information in the database in five minutes,” he said.

    On Tuesday, March 27, the Office of Information Technology issued a statement about the security problems.

    “We acknowledge that there is a communication problem within our organization,” said Kelly McDonald, assistant vice president of information technology.

    McDonald said when the student first reported the problem, the AIM office was in the process of merging and reorganizing independent organizations into the Office of Information Technology.

    “At the time, the Route Y security framework was handled by one organization, and applications, such as AIM, were developed in a separate organization,” McDonald said.

    Along with consolidating these organizations, the Office of Information Technology is also resolving the different communication tools used among them.

    In the future the Office of Information Technology will focus on improving inter-office communication to prevent subsequent security problems, McDonald said.

    “Since our merge, we have been working hard to establish an effective and integrated communication system,” McDonald said.

    Travis Hill, a computer programmer said he believes what probably happened is that the Web page developer just left a note in the page source for himself and then forgot about it.

    Allowing such access to confidential information could have placed BYU in violation of the Family Educational Rights and Privacy Act of 1974.

    According to the FERPA home page, http://info.fmis.ums.edu/ferpaweb/, there are a few basic rules that need to be followed in order for a school to be in compliance with FERPA.

    First, student educational records are considered confidential and may not be released without the written consent of the student.

    Second, faculty or staff members have a responsibility to protect educational records in their possession.

    If BYU was found in violation of FERPA, federal funding could be taken from the university. Though BYU is a private institution, students receive a large amount of federal funding through student loans and pell grants.

    Print Friendly, PDF & Email