Private data leak at CS faculty of TU Dortmund University

TL;DR: ID enumeration vulnerability in web app of the Computer Science faculty at TU Dortmund University exposed private data of up to 750 computer science students, including full name, birthdate and private address.

In the curriculum for “Master in Computer Science” at my beloved TU Dortmund University, there exists a course called Project Group (German: “Projektgruppe”). Over the span of two semesters, a group of ten to twelve students are working mostly independently on a project, to learn (among others) project management and team working skills.

Each semester, the faculty of Computer Science publishes a list of possible projects to choose from. Students can then use a web application written in PHP to enter their preferences and upload certifications to prove they possess the necessary certifications and skills to contribute to a project.

As I was entering my preferences and uploaded my grade sheet, I was presented with a list of my uploaded files, with a link for each file. The URLs for those files looked like this:

Simple numeric IDs always lure me into changing them by one, so I requested and voilà: I got a PDF from a different student. Changing the ID again resulted in another PDF. Among the files I looked at, I found full names, date, and place of birth, private address and (of course) lists of grades.

Examplary leaked data: Immatriculation certificate for another person, with censored personal details

As I knew one of the students from the files I tried, I contacted him and confirmed the correctness of their files.

This vulnerability required the user to be logged in, so trying this from a fresh browser did not work. But still: No matching against the user.

I then deleted the files and wrote an email to the person managing the project groups at our faculty and the universities’ data protection officer and the security team of the universities IT department.

Within a day, the application was taken offline. A few days later, the vulnerable get_file.php endpoint was removed. The university sent out an email to the students whose data was exposed and supposedly self-reported this incident to the data protection agency of our state.

While I am happy that this was quickly addressed and the proper authorities and the affected students were notified, I am a bit disappointed by the fact that somebody at the Computer Science faculty created an application with such an obvious and simple flaw.