“Big mail” for tens of thousands of former students of the Swiss Federal Institute of Technology (ETH): Your personal information could fall into the wrong hands – and this was due to a serious security flaw in the ETH Alumni Association website.
Research shows that those responsible reacted quickly to fix the vulnerability discovered by a computer scientist, but those potentially affected were not informed for months.
The background of the special story can be found on the website of ETH alumnus Andreas Kuster. There, the computer scientist provides information about a serious vulnerability in the ETH alumni website, which he accidentally discovered last November. His blog post is dated February 10, 2023.
It involves a now-defunct search feature called “Who’s Who” that allowed former students to find and connect with other alumni members online.
The problem: According to Kuster’s clarifications, access control for the search function was not working, allowing user data to be requested without authentication.
Criminals could use such personal data to carry out targeted phishing email attacks (“spearfishing”). In addition, the “hashed passwords” stored on the server can lead to later problems.
When someone registers online, the password entered is hashed, meaning that an algorithm converts it into a fixed-length string (a “string”) and stores it on the server. If the same user wants to log in again later and enters their password, the hash is recalculated and compared with the value stored on the server.
However, many users still use a (too) simple password, such as a first name or another common word. If attackers steal hashed passwords, they can try to crack them with a brute force or dictionary attack. This means that with powerful hardware, they generate millions of hashed passwords and compare them to the recorded hash values. If two match, they have identified a password.
In addition, criminals sell tables with already generated or stolen hash values. These “rainbow tables” allow a structured and therefore fast search for the password that matches the hash.
In his blog post, computer scientist Kuster recalls the problem of some users using the same password more than once. If hackers manage to crack a hashed password, they can also use it to compromise other online services.
In addition, those responsible at ETH do not know exactly whether and how much data was extracted before the “Who’s who” search function was taken offline.
At this point it is important to emphasize that the ETH computer scientist acted responsibly and correctly. He describes his approach in the aforementioned blog post.
Kuster documented the IT weaknesses and initially only informed those responsible within the Swiss Federal Institute of Technology.
He decided to send the “first report” to the ETH Alumni office as the primary recipient, as well as the technical contact (ETH IT Services) and their data protection contact (ETH Legal Services). Finally, he also reported the vulnerability to the National Center for Cybersecurity, NCSC for short.
Kuster notes that the ETH Alumni Headquarters responded very quickly and foresightedly. The affected search function was immediately deactivated and the IT departments corrected further deficiencies.
At the same time, we know that a third-party cybersecurity firm has been engaged and a report has been sent to the Federal Data Protection Commissioner (FDPIC).
In a “timeline”, the computer scientist lists what did not happen after the vulnerability was closed: Those responsible for the ETH Alumni Association have failed to promptly notify their members and ensure that their passwords are changed immediately. The problem was also not mentioned in the monthly newsletter.
Kuster would also like to see the university and the Alumni Association ETH unite a bug bounty program connects. So that there would be an incentive for honest hackers and security researchers to report discovered vulnerabilities.
The computer scientist points out that it would otherwise be much more financially worthwhile “to sell a huge data set, including addresses, degrees and password hashes, on the dark web or elsewhere”.
Kuster also addresses his blog post the relatively lax Swiss data protection regulations and the much stricter EU regulations (GDPR).
Finally, the computer scientist points out:
Watson asked the ETH Alumni Association.
Anita Kendzia, responsible for communications, confirms that a security vulnerability has been identified and is said to have been “immediately patched”.
The spokeswoman for the ETH alumni emphasizes:
All alumni were informed in a separate email last Tuesday (February 14).
According to the spokeswoman for the ETH alumni, this statement refers to the evaluation of server log files. Tuesday also started resetting the passwords.
When asked, she indicates that an automatic password reset has not been performed for all alumni members. They were asked to “reset their password individually”.
Source: Watson
I’m Ella Sammie, author specializing in the Technology sector. I have been writing for 24 Instatnt News since 2020, and am passionate about staying up to date with the latest developments in this ever-changing industry.
On the same day of the terrorist attack on the Krokus City Hall in Moscow,…
class="sc-cffd1e67-0 iQNQmc">1/4Residents of Tenerife have had enough of noisy and dirty tourists.It's too loud, the…
class="sc-cffd1e67-0 iQNQmc">1/7Packing his things in Munich in the summer: Thomas Tuchel.After just over a year,…
At least seven people have been killed and 57 injured in severe earthquakes in the…
The American space agency NASA would establish a uniform lunar time on behalf of the…
class="sc-cffd1e67-0 iQNQmc">1/8Bode Obwegeser was surprised by the earthquake while he was sleeping. “It was a…