Tuesday, May 25, 2004
Wolverine Access Flaw UpdateIt seems that there's a bit more to the story about the recently discovered privacy flaw in Wolverine Access. The student who found the flaw is alleging that the vulnerability was accessable from any browser, his friend said "The University only emailed students because Jon contacted the Ann Arbor News." This from a a Live Journal post by the student who discovered the flaw:
"I would also be very suprised if someone else did not stumble upon, given the huge number of people that use Wolverine Access. Unfortunately, for that same reason, it is rather infeisible to maintain log files for that long of a period of time to know for sure.
While a full dump of the database would not be possible with the limited web-based forms and restriction to 300 results, it would be possible to get a large majority of the data with some complex screen-scraping and common-name techniques. Let's hope no one came across it and thought of that.
So in conclusion, there's not really anyway to know who's been affected so everyone just needs to keep a watchful eye on their credit report."
Also, although the Daily story says:
"[UM Spokesperson Julie] Peterson added that the student used the Safari web browser for Macintosh operating systems whereas most students use Internet Explorer and would not be able to gain access through Internet Explorer."
Mr. Oberheide noted in a feeback posted on the story that, "Actually I used Mozilla Firefox on Gentoo Linux. Mozilla is also available for Windows and Mac. In addition, it IS possible to access through Internet Explorer although it requires a bit more technical knowledge."
It turns out that the University claims they never told the Daily that, and in Mr. Oberheide's words, "apparently the Daily pulled that one out of their ass."
> From this Live Journal discission
> Daily: "Student reports glitch in Wolverine Access to 'U'"
> U-M Information: "Wolverine Access Student Data Vulnerability Discovered"
Posted by Rob at 2:41 PM 1 Comments
It worked for Linux, it can work for us.