Stanford Vulnerability Allowed Students to View Other Students' Data -- Campus Security Today

Stanford Vulnerability Allowed Students to View Other Students' Data

Between Jan. 28 and 29, the student briefly accessed the records of 81 students while trying to assess the scope of the vulnerability. The documents were not searchable by name, but were instead accessible by changing a numeric ID in a URL.

By Jessica Davis
February 20, 2019

The Stanford Daily has reported that a now-fixed security vulnerability allowed Stanford students to view the applications and high school transcripts if they first requested to view their own admission documents under the Family Educational Rights and Privacy Act (FERPA).

The vulnerability was discovered by a student who recently submitted a FERPA request for their own documents in a third-party content management system called NolijWeb.

When a student views one of their files, the URLs and files are linked through numeric IDs. While the vulnerability didn’t allow students to search documents by name or other identifying information, they could change file ID numbers in URLs to access arbitrary students’ files.

“It wasn’t anything sophisticated,” the student said of their methods. The student said anyone with experience in web development could have easily exploited the vulnerability. “You change the ID slightly and it just gives you someone else’s records.”

Accessible documents contained sensitive personal data, potentially including Social Security numbers, ethnicity, home address, citizenship status, criminal status, standardized test scores, personal essays and whether that student applied for financial aid.

According to university spokesperson Brad Hayward, Stanford has not identified other “instances of unauthorized viewing” but is still reviewing the situation. The university will notify the students whose privacy was compromised because of the security flaw.

“We regret this vulnerability in our system and apologize to those whose records were inappropriately viewed,” Hayward wrote in an email to The Daily. “We have worked to remedy the situation as quickly as possible and will continue working to better protect our systems and data.”

Stanford has notified Nolij’s parent company Hyland Software. It’s not clear how many schools using NolijWeb could be subject to the vulnerability.

About the Author

Jessica Davis is the Associate Content Editor for 1105 Media.

Shooter Detection Systems Joins Partner Alliance for Safe Schools to Strengthen School Safety Efforts
04/08/2024
Parents are Part of School Security, Too
03/19/2024
Enhancing School Safety
03/15/2024
Access Control Trends
03/14/2024

Featured

California School District Modernizes Surveillance System

i-PRO Co., Ltd. (formerly Panasonic Security), a provider of professional security solutions for surveillance and public safety, recently announced that the Murietta Valley Unified School District (MVUSD) in Riverside County, CA, has undertaken a project to modernize its first-generation surveillance system to new high-resolution i-PRO network cameras, and the i-PRO Video Insight video management system (VMS). Read Now
- Video Surveillance
RAD Makes History with First Robotic Dog Deployed to Taylor Police Department

Robotic Assistance Devices, Inc. (RAD), a subsidiary of Artificial Intelligence Technology Solutions, Inc., recently announced that it has delivered a RADDOG LE to the Taylor, Michigan Police Department. The delivery of RADDOG LE to the Taylor Police Department marks a historic moment in the integration of technology within law enforcement. This milestone underscores RAD’s commitment to revolutionizing the landscape of security and public safety through cutting-edge AI-powered, robotic solutions. Read Now
- Facility Security
Passing the Test

The discussion about secured access and access control for higher education and K-12 is continuously expanding and evolving. That is a good thing. The more knowledge we gain and the more solutions that become available, linked and interoperable, the better and higher the level of security and safety. Read Now
- Access Control
Driving a Major Shift

One of the driving forces for change has been the high demand for unified solutions. Users are asking their vendors for a way to manage all their security systems through a single interface, from a single pane. This has led to a flurry of software development to seamlessly integrate access control systems with video surveillance, intrusion detection, visitor management, health monitoring, analytics with artificial intelligence (AI), and more. Read Now
- Video Surveillance

Webinars

Hanwha Vision (formerly Hanwha Techwin), Salient Systems, Eagle Eye Networks Inc, Evolv Technology

Shooter Detection: The First Line of Defense
Hanwha Techwin, Salient Systems, Evolv Technology, Omnilert, Eagle Eye Networks Inc, Traka ASSA ABLOY, i-PRO Americas Inc., Digital Watchdog, IPVideo Corporation, ProdataKey

Exploring Multiple Facets of Campus Security Summit
SparkCognition

How Visual AI Is Transforming the Conventional School Safety Model

Whitepapers

Metrasens

Case Study | Creating a Welcoming and Safe Experience for School Events
ProVision

Guide to Body Cameras for Campus Security
Omnilert

Guide to Evaluating Gun Detection Technology