A student discovered a major vulnerability in the my.UChicago portal that may have exposed personal information of current and former students, faculty, and staff. The vulnerability allowed users unauthorized access to multiple databases, one of which included dates of birth, course grades, and possibly Social Security numbers.
Alan Zhu, the first-year student who found the vulnerability, reached out to the University’s Information Security Office on December 30. Zhu was notified on January 13 that the issue was resolved.
The discovery follows another vulnerability Zhu reported to IT last September, which also allowed my.UChicago users access to others’ personal information, including dates of birth, campus IDs, and gender.
Matt Morton, UChicago’s chief information security officer, said in a statement to the Maroon that “the student accessed the page by following a link that pointed to an administrative area rather than the standard student interface. From there, they were able to reach a page that contained some personal data, like first and last name, that was not intended for student use.”
While Morton said that the University “initiated a broader review of this system to identify and address any comparable issues” after Zhu reported the initial vulnerability in September, the second, more extensive data breach could be accessed through the same page on my.UChicago.
“It wasn’t like I was looking around to see, ‘Can I figure out everyone’s Social Security numbers?’” Zhu said. “I was just poking around, and I found it. Imagine [if] someone actually wanted to do this. Then they’d be able to find it really quickly, right?”
In response to a question about whether any my.UChicago users could have accessed the page, Morton said that “the configuration issue could have allowed other authenticated users to reach the same page.” The University did not respond to a follow-up question from the Maroon about who qualifies as an authenticated user.
The Maroon verified that multiple users were able to access the administrative page with others’ personal information before the vulnerability was fixed but was not able to verify that accounts other than Zhu’s allowed access to Social Security numbers.
“If it were that this entire website [was] open to anyone who clicked on that region of the web page, then clearly the potential risk will be much higher,” Ben Zhao, the Neubauer Professor of Computer Science, told the Maroon.
The University did not issue a public statement to alert the University community about the data breach incidents.
To report a possible compromise or other data security incident, contact the University IT Services Security team at security@uchicago.edu or (773) 702–2378.
