TL;DR: ID enumeration vulnerability in web app of the Computer Science faculty at TU Dortmund University exposed private data of up to 750 computer science students, including full name, birthdate and private address.
In the curriculum for “Master in Computer Science” at my beloved TU Dortmund University, there exists a course called Project Group (German: “Projektgruppe”). Over the span of two semesters, a group of ten to twelve students are working mostly independently on a project, to learn (among others) project management and team working skills.
Each semester, the faculty of Computer Science publishes a list of possible projects to choose from. Students can then use a web application written in PHP to enter their preferences and upload certifications to prove they possess the necessary certifications and skills to contribute to a project.
As I was entering my preferences and uploaded my grade sheet, I was presented with a list of my uploaded files, with a link for each file. The URLs for those files looked like this:
Simple numeric IDs always lure me into changing them by one, so I requested
https://thevulnerableapp.cs.tu-dortmund.de/get_file.php?file_id=4241 and voilà: I got a PDF from a different student. Changing the ID again resulted in another PDF.
Among the files I looked at, I found full names, date, and place of birth, private address and (of course) lists of grades.
As I knew one of the students from the files I tried, I contacted him and confirmed the correctness of their files.
This vulnerability required the user to be logged in, so trying this from a fresh browser did not work. But still: No matching against the user.
I then deleted the files and wrote an email to the person managing the project groups at our faculty and the universities’ data protection officer and the security team of the universities IT department.
Within a day, the application was taken offline. A few days later, the vulnerable
get_file.php endpoint was removed. The university sent out an email to the students whose data was exposed and supposedly self-reported this incident to the data protection agency of our state.
While I am happy that this was quickly addressed and the proper authorities and the affected students were notified, I am a bit disappointed by the fact that somebody at the Computer Science faculty created an application with such an obvious and simple flaw.
- 2022-06-11: Discovered the issue and reported it to the university
- 2022-06-11: University acknowledges the problem and promises to patch or disable the vulnerable feature. Shortly afterwards, the whole application is taken offline.
- 2022-06-17: University says they disabled the vulnerable feature. The application is back online.
- 2022-06-21: University sends an email to all affected people acknowledging the vulnerability and stating that the proper authorities were notified.