The shocking world of referrers!

Forum Moderators: phranque

Message Too Old, No Replies

The shocking world of referrers!

Nick Jachelson

6:34 pm on Feb 20, 2006 (gmt 0)

I was looking through the recent referrers for my website and saw one that came from a university (.edu) address. I decided to check it out, and much to my surprise I ended up viewing an email in somebody's mailbox who apparently e-mailed a link to one of my pages to himself. Not only that but I could browse ALL of his/her email in the inbox.

Apparently, their e-mail system tracks sessions via a numeric id in the query string! Therefore, clicking on any link in the email will send that session id to the website along with the refferal URL. What's really shocking is that this university has 20,000+ students!

I probably should notify the school's webmaster about the blatant security failure. Has anybody else ever come across similar things?

jomaxx

6:55 pm on Feb 20, 2006 (gmt 0)

Never seen that personally. If they're lucky the session ID expires within some reasonably short period of time, but it's obviously an enormous security hole.

Wlauzon

7:01 pm on Feb 20, 2006 (gmt 0)

Never seen that particular one, but university systems - especially on the student side - are notorious for really bad security.

A few months back I ran across one by accident that had hundreds of students home addresses listed. Have seen many where entire directories were visible.

joaquin112

12:59 am on Feb 21, 2006 (gmt 0)

In my High School, I was able to view everyone's BlackBoard page (e-mail, pictures, grades) - I truly don't remeber how though, but it was an enormous security hole (I think one had to go into another form, type a wrong password, and click the back button, though I am not sure).