A third-party vulnerability
exposed admission records, essays, transcripts and sensitive personal
information of Stanford University students, including Social Security numbers,
ethnicity, legacy status, home address, citizenship, criminal record and financial
The Stanford Daily.
The university has been using
NolijWeb, the vulnerable content management system, for about 10 years but now
plans to find another platform to host its files. NolijWeb is a highly popular
platform among schools and universities to let students access school files, and
other institutions could be dealing with the same vulnerability.
The glitch has apparently has
leaked student files since 2015. Students who submitted requests under the
Family Educational Rights and Privacy Act (FERPA) could not only see their own
education records, but those of other students as well. The vulnerability was
detected and investigated by a student who gained access to the data by simply
changing numeric IDs in the URL. It could have been manipulated by anyone with
web development experience, the student explained.
“It wasn’t anything sophisticated.
You change the ID slightly and it just gives you someone else’s records,” the
During the investigation, the
student looked at 81 students’ records between Jan. 28 and 29, but the security
incident has been mitigated in the meantime. In total, 93 students were
affected by the breach and are to be informed by the university.
According to Stanford
spokesperson Brad Hayward, so far no other “instances of unauthorized viewing”
have been detected.
“Exploiting this vulnerability
requires an authenticated student login and specific knowledge of the
application’s underlying behavior,” Hayward wrote for The Stanford Daily. “We
believe this to be the first report of the issue. We regret this vulnerability
in our system and apologize to those whose records were inappropriately viewed.
We have worked to remedy the situation as quickly as possible and will continue
working to better protect our systems and data.”
As soon as the glitch was
detected, the platform was disabled until further notice.