Many universities worldwide, including some of the most prestigious, leave their webpages unpatched, leaking sensitive information, and even open to full takeovers, a Cybernews Research team investigation reveals. Among the 20 cases found, at least six websites belong to the top 100 universities list worldwide.
The Cybernews Research team scrutinized 20 websites with millions of monthly visitors in more detail. An investigation into indexed information from internet-connected devices provided a list of universities with compromised website security. Researchers were able to confirm the entries were accurate.
“Seeing many websites left vulnerable was unexpected, as attacks against universities have historically been very common, starting from DDoS attacks launched by students trying to cancel classes to full-blown ransomware attacks,” Cybernews researchers said.
All of the investigated university websites had more than a million monthly visitors, according to Similarweb. Six universities were ranked in the Top 100 list, and 13 were in the Top 1000 list.
The level of security wasn't necessarily linked to the university's size or significance, as both small and large universities displayed similar vulnerabilities. While the findings didn’t include any unprotected databases or vulnerabilities more than a year old, some universities were late to apply security updates. Researchers also found several critical vulnerabilities and very sensitive credentials being leaked.
In the case of the following five universities, leaked information could have allowed a complete website takeover:
- UTEL University (Mexico)
- National Taiwan University
- Walden University
- University of West Indies (Jamaica)
- University of California San Diego
In the case of 12 universities (including those mentioned above), it would’ve been possible to obtain private student and teacher information using leaked credentials or exploiting vulnerabilities, such as Remote Code Execution, which are some of the most dangerous attacks:
- University of Pittsburgh
- University of British Columbia
- University of the Andes (Colombia, Universidad de los Andes)
- Liberty University
- Old Dominion University
- Vanderbilt University
- University of New Hampshire
The last eight universities had other less significant vulnerabilities, such as leaving access to source code with full or partial credentials.
“It’s important to note the scope of the research was not exhaustive, meaning that the vulnerabilities and misconfigurations that we found are relatively easy to find for unskilled attackers and just as easy to exploit. For a more detailed analysis, a deeper penetration testing would be required,” Cybernews researchers noted.
The vulnerabilities identified throughout the research were addressed before the publication of this article.
What did website administrators miss?
Vulnerabilities that could allow a takeover of a website were either due to exposed environment files (.env) or remote code execution (RCE) vulnerabilities.
Three universities had very sensitive information leaking.
The University of California San Diego (UCSD) is a public land-grant research university founded in 1960. It currently enrolls 43,000, and 27 alumni have received Nobel Prizes. Yet, the website of UCSD left database credentials, Cloudflare credentials, WordPress credentials, and email credentials up for grabs. Attackers could use these for a website takeover, redirects to malicious servers, phishing from an official communication channel, and accessing user information.
Similarly, the website of National Taiwan University (NTU), a public research institution with 33,000 students, was leaking JSON Web Token secrets, database credentials, and a git URL with a username. All this could enable attackers to hijack accounts and have admin access.
The Latin American Technology University Online (UTEL) website was leaking JSON Web Token secrets, Google Cloud secrets, credentials, hosts for multiple databases, and Git URL (without credentials). That could allow arbitrary admin account creation and access to files and personal information. UTEL is a private Mexican university for online education founded in 2008.
Two smaller universities, Walden University (CVE-2022-29464) and the University of West Indies, had websites vulnerable to remote code execution that could allow a website takeover.
Files should not be public, and services need to be updated
Environment files should not be left accessible to outsiders as those are configuration files, often containing credentials for some or all third party services, databases, and APIs used by a web application. A malicious actor could use exposed credentials to access private databases and abuse API functions. As discovered, in some cases, the leaked credentials could lead to a full website compromise.
“Developers should make sure that their environment files are not publicly accessible, reset leaked credentials, and consider starting to monitor for such leaks in the future,” Cybernews researchers warn.
Also, compromised credentials for Git repository configuration files, which allow attackers to download and inspect the website's source code, should be reset.
RCE vulnerabilities, such as WSO2 Web server RCE vulnerability (CVE-2022-29464) and Microsoft Exchange RCE vulnerability (CVE-2023-21529), are documented and require manual or automatic patching or updating of the Microsoft Exchange server.
“Walden University and The University of West Indies were running vulnerable WSO2 web server versions, patched on 2022-04-25, meaning that these servers were not updated in over a year,” Cybernews researchers write.
Other universities, such as Vanderbilt, New Hampshire, and Old Dominion, were more than a month late to patch their Microsoft Exchange servers from the RCE vulnerability.
“In regards to leaked credentials, two universities used default credentials for a given software package, and five used weak, guessable passwords. This reflects poor security practices and hints that credentials used for other applications may also suffer from the same weak password policies.”
Cybernews contacted all universities mentioned in the research. Portland State University resolved the issue when it was reported.
“In our case, the discovered issue was an inconsequential information disclosure of file modification metadata for public files. There is no foreseeable negative impact for the specific instance of the issue in question. The underlying cause was a difference between how our application is deployed and in how our repository of static assets shared across sites are deployed, in the case of application deployment multiple other controls are in place preventing this type of information disclosure,” the university commented.
The University of Pittsburgh responded with a comment, which reads: “Ensuring data security is of utmost importance to the university and we thank you for bringing this matter to our attention. Our information security team took immediate steps to correct this vulnerability upon being notified on April 25th.”
Due to the sensitive nature of our cybersecurity precautions, the university was otherwise unable to provide further comment.
„Old Dominion University (ODU) learned of a vulnerability upon the release of a patch when the first public disclosure was made in February. The vulnerability was not being exploited at the time. To apply the patch, ODU followed its standard risk-based approach designed to manage all operational risks, including those posed by the vulnerability,“ ODU writes in a statement.
Walden University’s answer was as follows:
“Walden University can confirm that we have not had any data leaks or exposure. We have a robust monitoring system committed to protecting the privacy and security information of our students and staff, regularly conducting software updates and scans for potential vulnerabilities to ensure that there are no exposures. If and when false positive vulnerabilities arise due to decommissioned devices, we work closely with our partners to release patches that address them. Additionally, Walden deploys monthly patches to all of the machines within our environment, and the organization undergoes an annual external penetration test to validate our configurations and cyber security controls.”
Amongst other notable findings, some universities host student web projects, which could be used to gain an initial foothold in the university network.
“Students with less experience are more likely to make misconfigurations and create their projects with security being an afterthought,” researchers noted.
There were few universities with exposed .DS_Store files. Those are generated by Apple Finder (default directory explorer) and contain metadata about the contents of a given folder, such as Folder names, File Names, File extensions, view settings, and icons. Such files are usually stored in the directory with a source code and may inform attackers of applications, technologies, or packages used.
Website administrators should ensure the .DS_Store file is no longer publicly accessible, and investigate if the software packages used by the application have any obvious or commonly exploited flaws.
In a few instances, WordPress user lists were also exposed, which can reveal to attackers the website’s authors, and sometimes their emails and usernames. It’s a good practice to make sure that user-containing information is inaccessible.
Update WordPress to a more recent version and change WordPress usernames,” Cybernews researchers recommend.
Find out more about the most common university scams in this Cybernews Academy feature.
More from Cybernews:
Subscribe to our newsletter