Kurt McKee

lessons learned in production

Hey there! This article was written in 2006.

It might not have aged well for any number of reasons, so keep that in mind when reading (or clicking outgoing links!).

Finding chinks in NU's armor

Posted 1 December 2006 in exploit, northwestern-university, and software

I'm pleased to say that Northwestern has fixed one of the flaws that I reported in August, which somewhat frees me to talk about what I discovered.

Northwestern invested in centralized login software. Unfortunately, the software was susceptible to cross-site scripting attacks (which means that it would be technically possible to inject code into the page that could steal your username and password). I notified the Northwestern IT department of the flaw, and they notified the vendor. It's taken over three months, but one of the flaws has been fixed, which demonstrates the strength of proprietary software over which the customer has no control.

Having seen that they've closed one of the flaws, I went looking for new ones. It took about 30 minutes, but I came up with several interesting flaws. Even better, I came up with a proof-of-concept in about an hour. I tested it out with a friend of mine, and it worked flawlessly: I was able to steal his login session (which means that as long as he doesn't click "Log out" I could theoretically pose as him). I'm pleased to report that I was not able to steal his username and password, nor was I able to pose as him with the stolen login session.

This, however, does not mean that Northwestern's systems are completely protected from abuse or cross-site scripting. 30 minutes seems dreadfully little time to find an exploit. I'm going to have to start naming these exploits. One I've already decided to call "Counter Strike"; it's not much of a vulnerability, but I feel that there's an opportunity to exploit it in some way - probably for money.

I look forward to cooperating with Northwestern in good faith to identify potential exploits.

*[IT]: Information Technology