A high school applicant to Worcester Polytechnic Institute says he was able to access his record within the school’s CRM software and edit crucial fields such as his own SAT scores, confidential recommendation letters, and even an “application decision” toggle field for his application. Dozens of other colleges might be impacted by the same vulnerability, he claims.
The student — Boston-area high school senior Bill Demirkapi — provided detailed copies of his correspondence with the university, and screen captures of his access.
WPI confirmed the incident to me in an email, adding that “At no time was the blogger able to view sensitive information regarding other students or systems within WPI.”
Demirkapi wrote up a detailed explanation of his findings on Github.
“Being part of the college admissions process made me interested in investigating, ‘Can you hack yourself into a school?’ In this article, I’ll be looking into TargetX, a ‘Student Lifecycle Solution for Higher Education’ that serves several schools. All of this research was because of my genuine interest in security, not because I wanted to get into a school through malicious means,” he wrote. Demirkapi a misconfiguration in TargetX implementation allowed him to access his own file at WPI and edit it. Using a specifically-crafted URL, Demirkapi was able to trick the website into displaying a “404 – URL no longer exists” page with a search box that allowed him to look up his own record and access a set of criteria in his file.
Demirkapi began working with WPI in January to get the school to fix the flaw, which took several weeks. An external scan showed him many other colleges were using the same software and likely suffering from the same vulnerability. He reached out to several dozen schools this week to inform them of the misconfiguration. He came forward to me because he wanted to draw attention to it so other schools could fix it, and did not believe TargetX had done enough to inform schools about the problem.
WPI said that Demirkapi was never in a position to impact his admissions decision.
“The WPI admissions process includes numerous steps and simply checking ‘admitted’ would not have resulted in admission to WPI,” wrote Allison Duffy, Director of Public Relations for the school. “WPI is continually evolving and strengthening its security measures. The university takes the security of information very seriously and has robust cybersecurity protection and monitoring in place in order to avert attempts like this,” Duffy also wrote.
Demirkapi wondered if subtle changes to his application information would be caught, however.
“Obviously if I set myself to accepted I’d probably get caught down the line. The point was to show I could really edit anything,” he said. “, I don’t know how well they’d detect if I changed subtle things. Perhaps if I edited my teacher’s recommendations. Or edited my AP scores.”
It is unclear if accessing or editing TargetX fields might have an impact on a student’s application at other schools. Would some other process catch suddenly-altered SAT scores? Would a simple change to “accepted” have allowed Demirkapi to enroll in classes? Or would, as WPI says, such edits have been caught somewhere else along the process?
TargetX did not immediately respond to a request for comment. On a security mailing list devoted to colleges, someone identifying himself as Brian Kelly of Educause.com wrote that he had communicated with the CEO of TargetX.
“The CEO of TargetX reached out to me immediately and provided the information below,” Kelly, who identifies himself as “Director, Cybersecurity Program,” wrote. Kelly did not immediately respond to a request to confirm the authenticity of the email. “We had a great conversation today and he shares the spirit and intent of our Cybersecurity community and the value of information sharing. ‘Yesterday a blog post described an incident where an applicant accessed only his own data through a Salesforce default page without authorization. Due to permission settings, the applicant was able to demonstrate that he could read and edit select data. No other student data was accessed. When this was first reported in January, TargetX worked closely with our customer to resolve this situation by updating permissions settings. Since then they have updated customers on this issue, and continue to ensure that customers have the correct settings in place. TargetX takes all security issues seriously.’ ”
Bradley Shear, a Washington D.C.-based lawyer and expert in privacy issues relating to colleges, said the incident highlights colleges’ increased use of digital tools to track applicants, and the risks that creates.
“So, this is like Ferris Bueller changing his grades but here changing the computer system to admit a student instead of paying $500,000?” he said. “It sounds very interesting, especially in light of this recent WP article that verifies what I have been saying for years that parents are digging up digital dirt on their kids’ friends and sending it to colleges to sabotage any competitors to their kids’ dream colleges.”
Again, there is no indication that students could access anyone else’s application data.
“I named this post ‘Hacking College Admissions’ because this vulnerability was not just in WPI. Besides WPI confirming this to me themselves, I found similar vulnerabilities in other schools that were using the TargetX platform,” Demirkapi wrote. Since he began this quest to warn universities about this flaw, Demirkapi has chosen another college — one that didn’t suffer from the flaw. “Maybe students should be taking a better look at the systems around them, because all I can imagine is if someone found something like this and used it to cheat the system.”