139
theuser
7y

Just discovered that our student housing rental portal transmits our password in plaintext.

WHAT.THE.ACTUAL.FUCK

Comments
  • 4
    gg dude xD
  • 12
    Why you need wireshark for that? You could see that in your browser if they're not using tls.. or do the switch to http only for the login? 😂
  • 15
    Oh and you should hack one of your lecturers to show them how bad their systems are. At least that's what we did back in the days when we found a major security bug in 2nd semester ... 😂
  • 4
    @GodHatesMe Oh shit, probably should've masked that huh. Let me change my password in case theres some bored devs here
  • 3
    @GodHatesMe No big deal, LastPass does it for me. There's around 160 students on the same subnet who's got their rental contracts stored there. I could do a simple ARP spoof, a couple of wireshark filters and I would probably obtain a couple of passwords
  • 3
    🇳🇴🇳🇴🇳🇴🇳🇴🇳🇴🇳🇴🇳🇴🇳🇴
    That is all
  • 9
    It's 2017 and universities haven't switched to client certificates over ssl yet ~_~
  • 3
    Report it to the admins and see if they do anything about it
  • 5
    @lotd this. My university's system is so shitty all browsers warn me before entering any student web, even edge. Thesd guys should have bleeding edge technology but instead they buy everything from yale and harvard for no other reason than "if they do it we should too". Even if the software they buy is 10+ years old and has no sensible security or whatsoever. Last year they wasted a ton of money on a "new" system to take courses just because harvard used it. The thing has crashed constantly ever since as it is not adapted in any way to our reality. But fuck the worse is that the guys taking those stupid decisions are not anything related to engineering or cs, they are just lawyers that got to a high position in the university hierarchy. Fuck them.
  • 0
    @lotd It's not that they should be switching, it's that they should be using BOTH. They both have their places.
  • 0
    @Akselmo I recognize that, where's it from?
  • 0
    @GodHatesMe jesus christ, I think it's going to take something bad to happen before they change 😕 if you are in the UK you can complain to the information commissioner office other than that I think you might be snookered
  • 0
    @Akselmo Oh yeah lol, that's an awesome chat.
  • 1
    @daarkfall my uni lost a laptop with like 10 years of student data on it... This uni is also teaching students from all over the world networking and security... We had many networking/forensics labs too, so it's not like money was much of an issue.
  • 0
    @ganey there is no excuse for not encrypting a laptop drive in this day and age, I'd be making a formal complaint as high in the university as possible about data security standards
  • 1
    @daarkfall they reported to the ICO and lots of current and expected students kicked up a fuss against them for taking ages to disclose what had happened and the circumstances. The biggest issue discussed was why all the information was allowed on a laptop in the first place.

    I don't think they've made any mistakes like that since!
  • 0
    Just to update, they finally got HTTPS working again.
Add Comment