[Backdated Post] | Date of finding: 05/08/2020 | Actual date of publication: 25/10/2020 | [Backdated Post] |
In this post I will describe a data leak I discovered when looking around on a list of KU Leuven subdomains.
I stumbled upon a subdomain used by the KU Leuven ‘Centrum voor Levende Talen’ (CLT for short or Leuven Language Institute / ILT in English), which employs over 130 people and where you can learn over 21 languages.
It is also the organization all non-dutch speaking KU Leuven (doctoral) students are referred to when their mastery of Dutch is insufficient to start studying (or working) at the KU Leuven.
The Finding
I discovered a login page with a specific button which isn’t used (or rather shouldn’t be used) by anyone, which would log you in as inspection without authentication when pressed. The two other buttons on the page are used refer students and teachers to their respective login pages.
The data that could be retrieved once logged in as inspection includes (but is not limited to):
- all students enlisting in all language courses
- all internal student-teacher mail correspondence
- includes a lot of personal information
- all student exercises, mistakes and (exam) grades
- extraction via pdf was provided by built-in tool
- all student activity (when they were last logged in and for how long)
- zoom links and passwords for examination + exam planning
One of the more disturbing findings were the login statistics.. I wasn’t the first to discover this lack of authentication. Sadly, I was the first to report it.
Remediation
The CLT staff quickly responded and fixed the authentication issue by removing the redundant Inspection login. They also immediately informed their internal GDRP person to do their due diligence in that regard.
I was very glad to be dealing with such a professional staff member. Kudos!