“You Can Still Walk”
Not too long ago, on the eve of graduation, I had just about wrapped up my computer science classes and was looking forward to graduating and starting my career. My university, Brigham Young University, had an alumni website that helped students after they graduated with things like networking, jobs, and establishing one’s career. I needed solutions as I had sadly just learned that my university advisor had not added my name to the roster on graduation day. She claimed she had not realized that I was done! Without much remorse, she pointed out in a number of words that I could tag along at commencement anyway.
The Alumnus
Well, after I was done with school, and with no secured job, I was frantically piecing together a plan for after graduation. I had spent considerable time over the semesters working in the IT department in audiovisual. It had slightly distracted me from my career in software as I had become a key component in designing the campus concerts, basketball game lighting, and running lights for regional church events. In my search for what my future had in store, and while perusing their alumni site, I chanced upon a useful feature the IT department had created, a function called “share a story.” With this tool, an alumnus who had been expatriated away from “Zion” and planted into the remotest of states in the US could still be a “light to the world” vis-à-vis a fellow alum’s nomination into BYU Magazine.
My eyes rolled out of my head when I saw that. “I’m sure that everyone in Utah has been both nominated and read about by now. What good will that do me?” I thought to myself. After running lights for the Women’s Conferences, Youth EFY camps, Education Weeks, and a dozen other high profile events, I knew the alumni website was going to be more about press for BYU than it was about getting a job. For those unfamiliar with the culture at BYU, it is a decent school, but there is a unique cultural undertone in every nook and cranny. The culture tends to be a bit on the superficial side.
The Flaw
It stuck out to me that this tool was so “available.” “So anyone can find the alumnus they want to highlight without logging in?” I questioned. My last semester’s classes included a web development course, and since I had gotten a sample of the latest and greatest in web tech, I inspected just about every page I opened. This day would be no exception.
So I’ll describe the feature “Share a Story” how you might find it in cucumber form (often found in JIRA tickets):
Feature: Share A Story
Scenario: User shares a story about an alum friend that is worth printing in the magazine
GIVEN I am on the alumni website as an non-logged in user
and I fill out the first form with a first name "Karl" and last name "Maeser"
WHEN I press submit
THEN I should see a list of alumni including "Karl G Maeser"
and there is a next button, that will allow me to enter and submit a story for this personInitially, I tested it out with my last name to see if my parents’ names were there too since I would shortly become a 4th generation BYU alum. Yup, the searchbox works.
“What about my extended family?”
Also there.
“What about my roommates?”
Huh, that’s cool.
Ok, time to “right click > inspect!” (A note to the uninitiated–in almost all browsers this is a sort of “pop the hood” way to see what’s going on with the web page)
The elements tab proved surprisingly revealing this go around. Once I had submitted a query, the html on the page would transform with a table of all the hits to my query. The page simply showed each name and the degree they pursued; however, those table elements had additional data fields that weren’t rendered to the user. and guess what I found there!
Each item in the list (not paginated either) had in those data fields a name, birthday, mailing address, married name, email address, phone number, degree and graduation year. For example, here is the school’s founder:
“Oh wow, It’s that easy? that’s not good.”
“Is my info up to date?”
“Yes. Shoot.”
“What about my roommate? Oh, my heck! This lady has his same mailing address. That’s his mom and her birthday isn’t it?”
BYU is a religious university for a smaller American church, and the church’s leaders could certainly be considered celebrities. Can you imagine how exciting it would be to discover these guys’ mysterious roots, such as their hometown, contact information, and birthdays?
Well sure enough, all the leaders I could think of who attended were there. Some had their info redacted, and some did not. For the readers who are LDS, I’m talking apostles.
The Force
I hoped, like Master Yoda, when Anakin exacts revenge upon the Sand People in his turn towards the dark side, those leaders shuddered momentarily during their labors as they felt my presence in locating their Personally Identifiable Information (PII). “Something terrible has happened. Young Skywalker is in terrible pain.”
Indeed, I was. Or perhaps more of a fury, as I discovered the PII of all of my loved ones was public on the internet, no login required. Oh, and I mean I guess it’s too bad that the head honchos have the same problem too. Maybe the leaders did not sense my presence that day, but for me, PII should be held sacred.
As a young newly graduated comp sci guy with no job yet secured, I fantasized about the glory and fame I would receive having discovered such an egregious sin. I would save the IT department immeasurable pain, even though I worked out of the bottom floor in lights and sound. With the well-placed shot of notifying the department, like Ralphie in A Christmas Story, I would ward off the crooks and the family would rally around me! The precipice of unemployment would turn into a runway for me to soar into the sunset!
Building my Resume
I dutifully notified the site admins, demonstrating the “bug” and pointing out that the school’s founder was in their database, among others. I asked for any bug bounty that might be available. In my meager, college-student way, I even offered to settle for a byu license plate holder, as those had been given as gifts to the alumni, but had run out before I got the chance.
Two weeks passed as I became preoccupied again with my job hunt in multiple directions. I decided to try my “exploit” again (right-click and inspect), but to my surprise, the data was no longer included in the web page. Did I miss something? I was sure my mail hadn’t ever included a license plate holder. No Jedi Master had spoken with my church leaders about putting me on the council yet not granting me the rank of master. They fixed it all on their own.
I emailed them again to be sure. Looking back, I was incredibly polite in my tone. I pointed out that I saw they had fixed the problem. I was grateful for that, and I’m sure the “Jedi Council” would be as well, if they ever found out. In my email, I asked for some help in my job search:
since I just graduated, I am looking for things to put down on my resume to make me more competitive for jobs. Is it possible to get an email from the admin/developers group that ended up dealing with the issue? I think a quick email from you guys about what happened would impress my future employers as someone who has his own initiative to make things better. Thanks in advance for helping a fellow alumnus,
Bryce Shelley
This time around, I actually got a response. A customer service member reached out and said they would ask the person in charge of the issue. Weeks slipped by, and that was the last interaction we had. That was that.
They say trials make the heart grow stronger
To be fair, I’m sure the website was developed by comp sci students, juggling a plethora of schoolwork and career building, on top of website security. I can’t speak to the leadership much, since I only knew the head of the IT department when he appeared next to the lighting board at the basketball games. He was a nice guy. But despite any excuses for letting this happen, it’s important to exercise the “principle of least privilege.” This principle is not about defeating hackers or dodging the NSA. It simply means that you reduce the data to only what is relevant for the user. This has the benefit of trimming the payload size to boost performance, it limits the attack surface hackers have, and it simplifies the data your code deals with. Had the developer decided to select the first and last names from the results list before generating the web page, they could’ve avoided giving up their revered church leaders’ information (and their own information too). Once you adopt that attitude, things like DevSecOps start to come without even knowing it.
I had over 30,000 full records while I was researching the leak. Did I mention the search was a fuzzy search? I did not do an in-depth analysis of how bad the leak was, so I’m sure there were plenty more. If you also include the element of church leadership, then you’ll probably agree that the leak was really serious.
My mind is brought back to my quirky Mormon upbringing, and the quote from the mom in the Mormon comedy film, the RM, when she consoles her son, “They say trials make the heart grow stronger,” to which his son replies, “they don’t say that, Mom.” She quickly quips, “well I do!” before joining her guests to discuss multi-level marketing opportunities. I suppose it was something to build my character.
Circumstance necessitated that I leave all that behind. Eventually I found my first programming gig, starting out at the bottom of the industry. I don’t want you to feel bad for me, at least, not unless you’re a leader of the Mormon Church with some sway. But next time you’re writing an app, discussing a feature, or inspecting network traffic, take an extra moment to make sure your mom’s PII isn’t on the internet for your roommate to find.
