Registration at Stevens is like high school sports. It involves waking up at seven in the morning to repeat mindless drills (furiously clicking through Web Self Services). It works with a class hierarchy — juniors trump sophomores who trump freshmen, with seniors reigning supreme. Students put in hours of extra effort in order to make varsity and gain all the perks that go with it (early registration). Worst of all, students’ position on the team could be stripped away at any time by injuries or promising upstarts, dampening their future hopes.
Jonathan Pavlik, a senior, had that final scenario happen to him this past registration period. Eight hours after enrolling in all of the classes he needed to graduate. Pavlik stated that in his conversation with Information Technology, he was told that someone else hacked into his Web Self Services account and dropped all of his classes.
When logging into myStevens, the website provides users with an “authentication certificate” for security purposes, which contains encrypted data. However, Web Self Services only uses a small fragment of that data called the PIN, as well as the user’s campus-wide identification, which is transferred insecurely on the Self Services page. Any student’s CWID can easily be attained from a variety of places — most significantly, managers of student organizations can look them up on DuckLink for attendance purposes, and it is printed plainly on every student’s DuckCard. Obtaining a different person’s PIN is slightly harder to do, but viable strategies do exist. With those two numbers, the remaining steps to hack into another student’s Web Self Services account were described as “first-grade computer science” by a computer science student familiar with the system The Stute spoke with. Note that in this specific case, the hacker used their access into Pavlik’s account to drop his classes, but in the future, this vulnerability could also grant hackers other sensitive and extremely important information.
To corroborate his own story, Pavlik cited logs of his computer which showed he wasn’t using Web Self Services at the time that his classes were dropped. Additionally, he was in a previously scheduled teaching assistant meeting, where he could not have been using Web Self Services.
According to Pavlik, Stevens’ Department of Information Technology has known about this issue for years. He says that two years ago, he realized how the current system could be used maliciously so he notified Information Technology in hopes that they would fortify the system. According to him, their response was that exploiting the vulnerability would be illegal, therefore no one would attempt it, and it did not need to be addressed. The same vulnerability that he described to them ended up being used against him two years later. Pavlik went on to say that when attempting to receive assistance re-enrolling in the classes he was removed from, the Registrar told him that a handful of students faced similar issues every semester.
In an official statement, Information Technology stated that they knew of no other students affected by this issue. They acknowledged that some students have developed software to increase the chances of getting into their desired classes, adding that “We cannot rule out the possibility that this was involved in the student’s classes being removed from his schedule as an unintended outcome of using this software.” Additionally, they said that they had found no evidence of malicious activity that led to Pavlik’s classes being dropped. Finally, they said that “We will continue to monitor and add enhancements that promote the security of the student information system and Web for Students, as is already the case.”
As of the time this article was written, Pavlik has been re-enrolled in all but one of his classes, with the help of the Registrar; however, without the one remaining class, he will lose the opportunity to receive a minor before he graduates at the end of next semester. The registration vulnerability also has yet to be addressed, and the system remains insecure.
Be First to Comment