Personal data and hashed passwords were accessible to third parties via the website of the ETH Alumni Association. Appease those responsible.
“Big mail” for tens of thousands of former students of the Swiss Federal Institute of Technology (ETH): Your personal data could have fallen into the wrong hands – and this was due to a serious security gap in the website of the ETH Alumni Association.
Research shows that those responsible reacted quickly to fix the vulnerability discovered by a computer scientist, but those potentially affected were not informed for months.
What happened?
The background to the unusual story can be found on the website of ETH alumnus Andreas Kuster. There, the computer scientist provides information about a serious vulnerability in the ETH alumni website, which he accidentally discovered last November. His blog post is dated February 10, 2023.
It is about a now-defunct search function called “Who is Who” that enabled former students to find other alumni members online and get in touch with them.
The problem: According to Kuster’s clarifications, the access control for the search function did not work, so that user data could be accessed without authentication.
Criminals could use such personal data to carry out targeted phishing mail attacks (“spearfishing”). In addition, the “hashed passwords” stored on the server could lead to subsequent problems.
In his blog post, computer scientist Kuster recalls the problem that some users use the same password more than once. If hackers manage to crack a hashed password, they could also use it to compromise other online services.
In addition, those responsible at ETH do not know exactly whether and how much data was extracted before the “Who is Who” search function was taken offline.
what went wrong
At this point it is important to emphasize that the ETH computer scientist acted responsibly and correctly. He describes his approach in the mentioned blog post.
Kuster documented the IT weaknesses and initially only informed those responsible within the Swiss Federal Institute of Technology.
He decided to send the “initial report” to the ETH Alumni office as the primary recipient, as well as to the technical contact (ETH IT Services) and their data protection contact (ETH Legal Services). Finally, he also reported the vulnerability to the National Center for Cyber Security, or NCSC for short.
Kuster notes that the ETH Alumni headquarters reacted very quickly and with foresight. The affected search function was immediately deactivated and the IT departments corrected further weaknesses.
At the same time, we know that an external cyber security company was called in and a report was sent to the Federal Data Protection Commissioner (FDPIC).
In a “timeline”, the computer scientist lists what did not happen after the security gap was closed: those responsible for the ETH Alumni Association failed to inform their members promptly and arrange for their passwords to be changed immediately . The problem was also not mentioned in the monthly newsletter.
Kuster would also like the university and the ETH alumni association to join a bug bounty program . So that there would be an incentive for honest hackers and security researchers to report discovered vulnerabilities.
The computer scientist points out that it would otherwise be much more worthwhile from a financial point of view “to sell a huge data set, including addresses, degrees and password hashes on the dark web or elsewhere”.
In his blog post, Kuster also addresses the comparatively lax Swiss data protection regulations and the much stricter EU regulations (GDPR).
Finally, the computer scientist points out:
What do those in charge say?
watson asked the ETH alumni association.
Anita Kendzia, responsible for communications, confirms that a security gap has been identified that is said to have been “closed immediately”.
The ETH alumni spokeswoman emphasizes:
All alumni were informed in a separate email last Tuesday (February 14).
According to the ETH alumni spokeswoman, this statement refers to the evaluation of server log files. The reset of the passwords was also initiated on Tuesday.
When asked, she specified that no automatic password reset had been carried out for all alumni members. They were asked to “reset their password individually”.
(c) Daniel Schurter
