Insecure Logins at 90 Colleges
Every exchange of private data, such as passwords, should use HTTPS. As shown below, most colleges have learned this lesson.
Results as of 7-19-14
7 months after notification:
16/57 plaintext login pages fixed or improved (28%)
8/33 mixed login pages fixed or improved (24%)
How Common are Insecure Login Pages?
To measure frequency,
I tested the first 300 hits on Google for
"inurl:EDU login", with these results:
The big message is clear: Colleges have largely
switched to HTTPS. The logins I am finding
are clearly the colleges way at the back of the
pack on this issue.
List of 90 Vulnerable Colleges
Notifications
Unlike many security problems, this one is not
subtle or covert. It's absurd to suggest that
malicious actors haven't noticed this, and that
it should be "kept secret." So I really see
no ethical requirement to notify the colleges
at all. However, just as a courtesy, it seems
kind to send them a pro forma notification since
I am publishing a page accusing them of insecure
practices.
I was not motivated to hunt through their Web pages to find specific email addresses to contact this time, so I just used grep to find all the domains ending in .edu and mailed to "security@domain.edu", as well as a few additional email addresses listed below.
I sent this message:
Security Problem on Your Network
Hello:
I am Sam Bowne, an Instructor in Computer Networking and Information Technology at City College San Francisco. If you want to know more about me, look at my Twitter profile:
https://twitter.com/sambowne
Your site uses one or more insecure login pages, which make it easy for hackers to steal passwords or other credentials. All login pages should use encrypted protocols, such s HTTPS.
This article may be helpful: "A basic guide to when and how to deploy HTTPS"
http://erik.io/blog/2013/06/08/a-basic-guide-to-when-and-how-to-deploy-https/
I published details of my study here, including the vulnerable URLs:
http://samsclass.info/125/proj11/insecure-logins.htm
Feel free to contact me if I can be of assistance.
Re-Notification
41 of those emails bounced back instantly.
I therefore re-sent the email to abuse@school.edu, with this notice at the top:
Note: Many schools do not accept emails to security@school.edu, despite RFC 2142. I am therefore re-sending this to abuse@school.edu.
Only 12 of those bounced immediately.
Details of Searches and Pages Found
Googling for:
inurl:edu login
inurl:edu login -inurl:https
I also searched for "login" on college main
pages frequently. And I tried login links from the front pages to check their use of HTTPS.
Schools with Plaintext Login Pages
This is a terrible practice--passwords are just sent in plaintext over the Internet, so that dozens of machines handle them. They can be trivially sniffed, logged, or intercepted at any point along the path. This makes it absurdly easy for students to enter other students' accounts, or teacher accounts, deface Web pages, etc.
I don't really understand how any college with plaintext logins can be in compliance with privacy regulations like FERPA and HIPAA, since anyone can easily collect passwords and enter their "secure" servers. They are like a bank with no lock at all on the vault.
1. 4 Faculty
http://www.4faculty.org/index.jsp
Plaintext! Still the same on 7-19-14
2. Agnes Scott College
http://courses2.agnesscott.edu/login/index.php
Plaintext! Still the same on 7-19-14
3. Alabama State U
http://ezproxy.lib.alasu.edu/login
Plaintext! Still the same on 7-19-14
4. American Public U
http://ezproxy1.apus.edu/login
Plaintext! Still the same on 7-19-14
5. American Sentinel U
http://my.americansentinel.edu/Account/Login.aspx
Plaintext! Still the same on 7-19-14
6. Aspen U
http://classroom.aspen.edu/login/index.php
Plaintext! Still the same on 7-19-14
7. Athens State U
http://www.athens.edu/CLL/register.php
Plaintext! Still the same on 7-19-14
8. Austin Community College
http://www5.austincc.edu/sstraining/www/login.php
Plaintext! HTTPS on 7-19-14, but contains insecure elements
9. Bard College
http://moodle.bard.edu/login/index.php
Plaintext! Still the same on 7-19-14
10. Capella U
http://courseroom2.capella.edu/webct/RelativeResourceManager/5148011/branding/login/Login.htm
Plaintext! Still the same on 7-19-14
11. Coastal Carolina U
http://my.coastal.edu/
Plaintext! Still the same on 7-19-14
12. The College of St Rose
http://blackboard.strose.edu/webapps/login/
Plaintext! Still plaintext on 7-19-14 but being phased out for an HTTPS page in Fall 2014
http://shibboleth.strose.edu/simplesaml/auth/login.php?
Plaintext! Fixed on 7-19-14, no longer uses authentication
13. Cornell
http://staffweb.library.cornell.edu/user/login
Plaintext! Still the same on 7-19-14
14. Corning Community College
http://shc-script.corning-cc.edu/cpip/userid_lookup.php
http://shc-script.corning-cc.edu/helpdesk/pipeline/reset.php
http://shc-script.corning-cc.edu/helpdesk/nt/reset.php
Plaintext! Still the same on 7-19-14
15. Dallas Baptist U
http://online.dbu.edu/webapps/login/
Base64 on 7-19-14
http://www.jevin.net/jevin/login.pl
Plaintext! Down on 7-19-14
16. Durham Technical Community College
http://blackboard.durhamtech.edu/webapps/login/
Plaintext! Down on 7-19-14
17. East Carolina U
http://www.ecu.edu/cs-itcs/sabameeting/userlogin.cfm
Plaintext! Still the same on 7-19-14
18. EDUCAUSE
http://www.educause.edu/user
Plaintext! Still the same on 7-19-14
19. Fielding Graduate U
http://www.turnitin.com/
Mixed Still the same on 7-19-14
http://forums.fielding.edu/visible/aca-1/dispatch.cgi
http://moodle2.fielding.edu/login/index.php
Plaintext! Still the same on 7-19-14
20. Glogster
http://edu.glogster.com/login
Plaintext! Still the same on 7-19-14
21. Henderson State U
http://reddie.hsu.edu/ICS/
Plaintext! Still the same on 7-19-14
22. Humphreys College
http://online.humphreys.edu/login/index.php
Plaintext! Still the same on 7-19-14
23. Independence U
http://learn.independence.edu/
Plaintext! (Uses a Pearson service, shame on them too!)
HTTPS on 7-19-14
24. Jones International
http://courses.jonesinternational.edu/login.jkg?sid=4
Plaintext! HTTPS on 7-19-14
25. Johns Hopkins U
http://bluejay.cty.jhu.edu/login/index.php
Plaintext! Still the same on 7-19-14
26. Kean U
http://keansso.kean.edu/
Plaintext! Still the same on 7-19-14
28. Keuka College
http://learning.keuka.edu/login/index.php
Plaintext! Still the same on 7-19-14
29. Lewis-Clark State College
http://ezproxy.lcsc.edu:2048/login
Plaintext! Still the same on 7-19-14
30. Lincoln Land Community College
http://blackboard.llcc.edu/webapps/login/
Plaintext! HTTPS on 7-19-14
31. Los Angeles City College
http://moodle.lacitycollege.edu/login/index.php
Plaintext! Still the same on 7-19-14
32. National U
http://online.nu.edu/
Mixed on 7-19-14
http://www.curricunet.com/NU/index.cfm
http://community.nu.edu/community
Plaintext! Still the same on 7-19-14
33. Oklahoma City Community College
http://www.occc.edu/graderesults/index.html
Plaintext! Still the same on 7-19-14
http://www.occc.edu/email/password.html
Mixed Still the same on 7-19-14
34. Rasmussen College
http://portal.rasmussen.edu/logon.aspx
Plaintext! Still the same on 7-19-14
35. Rush U Medical Center
http://rulearning.rush.edu/webapps/login/
Base64, HTTPS on 7-19-14
36. Santa Clara U
http://www.scu.edu/careercenter/
Mixed Still the same on 7-19-14
http://claranet.scu.edu/eres/login.aspx
http://astra.scu.edu/AstraSchedule7/Portal/GuestPortal.aspx
Plaintext Still the same on 7-19-14
37. Smithsonian Institute
http://seasianceramics.asia.si.edu/home/login.asp
Plaintext! Down on 7-19-14
info@si.edu security@si.edu oighotline@oig.si.edu
38. Southern University and A&M College
http://blackboard.subr.edu/
Plaintext! Still the same on 7-19-14
39. St. Joseph's College New Yprk
http://lib.sjcny.edu/vwebv/login.do
Plaintext! Still the same on 7-19-14
40. Stanford U
http://epgy.stanford.edu/login/
Plaintext! Still the same on 7-19-14
41. Style Sight
http://www.stylesight.com/edu
(May not be a college)
Plaintext! Still the same on 7-19-14
42. Texas Medical Center
http://iris.uth.tmc.edu/
Plaintext! Down on 7-19-14
43. Thomas U
http://ezproxy.thomasu.edu/login
Was plaintext, Still the same on 7-19-14
http://faculty.thomasu.edu/login.asp
http://student.thomasu.edu/login.asp
http://www.thomasu.edu/Private
Plaintext! HTTPS on 7-19-14
44. U of Georgia
http://glycomics.ccrc.uga.edu/GlycomicsPortal/login.action
Plaintext! Still the same on 7-19-14
45. U of Maryland
http://smithapps.rhsmith.umd.edu/Citrix/MyApps/auth/login.aspx
Plaintext! Still the same on 7-19-14
46. U of Massachusetts Amherst
http://illiad.library.umass.edu/illiad/AMH/illiad.dll
Plaintext! Still the same on 7-19-14
47. U of Massachusetts Boston
http://ocw.umb.edu/login_form
Plaintext! Still the same on 7-19-14
48. U of Minnesota
http://movielens.umn.edu/login
Plaintext! Still the same on 7-19-14
49. U of North Carolina Greensboro
http://libcdm1.uncg.edu/login/
Base64 Still the same on 7-19-14
http://libjournal.uncg.edu/index.php/jls/login/signIn
http://euc.uncg.edu/schedule/login.php?
http://integrity.uncg.edu/irb-zone/
http://www.uncg.edu/bae/gcs/exploration/login.html
Plaintext! Still the same on 7-19-14
50. U of Northern Iowa
http://www.uni.edu/studentorgs/scma/login
http://jobs.uni.edu/login/driver.php
Was plaintext, still the same on 7-19-14
http://www.library.uni.edu/login
Plaintext! HTTPS on 7-19-14
51. U of Wisconsin
http://videos.med.wisc.edu/users/login/
http://wiscareers.wisc.edu/default.asp?ok=no
Plaintext! HTTPS on 7-19-14
52. UC Berkeley
http://multimedia.journalism.berkeley.edu/accounts/login/?next=/
Plaintext! Still the same on 7-19-14
53. UCLA
http://cpr.molsci.ucla.edu/cpr/cpr/login.asp
Plaintext! Still the same on 7-19-14
54. UC Santa Cruz
http://oca.ucsc.edu/login -- apparently plaintext transmission of library barcodes
HTTPS on 7-19-14
56. UC Riverside
http://my.ucr.edu/
Plaintext! HTTPS on 7-19-14
57. West Point
http://bridgecontest.usma.edu/login.htm
Plaintext!
8pao@usma.edu security@usma.edu
Schools With Mixed HTTPS in HTTP Logins
These colleges have an HTTPS login button on
an HTTP page, which is not as bad as plaintext login, but still vulnerable to a MITM attack with SSLstrip.
1. Academia.edu
http://www.academia.edu/login
Mixed Still the same on 7-19-14
2. Academy of Art U
http://online.academyart.edu/login
Mixed Still the same on 7-19-14
3. Caldwell College
http://caldwell.mrooms.net/
Mixed Still the same on 7-19-14
4. Carnegie Mellon U
http://www.cmu.edu/career/tartantrak/pronet/volunteer-information/index.html
Mixed; Down on 7-19-14
5. CCSF
http://insight.ccsf.edu/
Was mixed, HTTPS on 7-19-14
6. California College San Diego
http://learn.cc-sd.edu/
Mixed, HTTPS on 7-19-14
7. California State U Stanislaus
http://my.csustan.edu/
Was mixed, now HTTPS as of 7-19-14
http://www.csustan.edu/Blackboard/
Mixed Still the same on 7-19-14
8. Connecticut Community Colleges
http://my.commnet.edu/
Mixed Still the same on 7-19-14
9. Dalton State U
http://mydsc.daltonstate.edu/cp/home/loginf
Mixed Still the same on 7-19-14
10. Ferris State U
http://myfsu.ferris.edu/cp/home/loginf
Mixed Still the same on 7-19-14
11. Georgetown U
http://apps.georgetown.edu/
Mixed Still the same on 7-19-14
12. Grand Rapids Community College
http://www.grcc.edu/informationtechnology/enterpriseapplications/onlinecenterlogin
Mixed Still the same on 7-19-14
13. Hanford Community College
http://owlnet.harford.edu/cp/home/loginf
Mixed Still the same on 7-19-14
14. Illinois Institute of Technology
http://my.iit.edu/cp/home/displaylogin
Mixed, still the same on 7-19-14
15. Ivy Tech Community College
http://cc.ivytech.edu/cp/home/displaylogin
Mixed Still the same on 7-19-14
16. Keene State College
http://prod.campuscruiser.com/PageServlet?pg=WebAdvisorIFrameProxy&a_ppl=ST&f_ormMnemonic=WMUI&cmp=F22.160_188&cx=22.160
Mixed Still the same on 7-19-14
17. Long Beach City College
http://online.lbcc.edu/
Mixed Still the same on 7-19-14
18. Massasoit Community College
http://ford.massasoit.mass.edu/cp/home/loginf
Mixed ; Down on 7-19-14
19. Mid-American Christian U
http://online.macu.edu/
Mixed Still the same on 7-19-14
20. Northeastern U
http://myneu.neu.edu/cp/home/displaylogin
Mixed Still the same on 7-19-14
21. Pierce College
http://moodle.piercecollege.edu/
Mixed Still the same on 7-19-14
22. Santa Monica College
http://smconline.org/index.real?action=Login
Mixed Still the same on 7-19-14
23. Tennessee State U
http://www.tnstate.edu/police/ens.aspx
Mixed Still the same on 7-19-14
24. U of Arkansas
http://isis.uark.edu/
Mixed, HTTPS on 7-19-14
25. U of North Carolina
http://luminis4.unca.edu/cp/home/loginf
Mixed, down on 7-19-14
26. U of North Florida
http://mywings.unf.edu/
Mixed Still the same on 7-19-14
27. U of West Georgia
http://myuwg.westga.edu/cp/home/loginf
Mixed Still the same on 7-19-14
28. School of the Art Institute of Chicago
http://go.artic.edu/cp/home/loginf
mixed, down on 7-19-14
29. Southern Connecticut State U
http://myscsu.southernct.edu/cp/home/loginf
Mixed Still the same on 7-19-14
30. Suffolk U
http://prod.campuscruiser.com/q?pg=home_welcome&cp=164
Mixed Still the same on 7-19-14
31. Webster U
http://connections.webster.edu/cp/home/loginf
Mixed Still the same on 7-19-14
32. William Patterson U
http://wpconnect.wpunj.edu/cp/home/loginf
Mixed, HTTPS on on 7-19-14
33. Wright State U
http://wings.wright.edu/cp/home/displaylogin
Mixed Still the same on 7-19-14
Statistics
First 300 sites: 15 plain, 11 mixed
Posted 9:45 am 12-24-13 by Sam Bowne
Updated with re-notifications 10:33 am and 10:44 am 12-24-13
Updated turning URLs into hypertext and reporting results 7-19-14