T-Square Security Holes

At Georgia Tech, the course system that is used by students is called T-Square (based on Sakai). It’s pretty nice system that supports forums, wikis, chats, blogs, and a bunch of other tools.

Sakai is open source; consequently, Georgia Tech can maintain the software and fix and bugs it finds.

Unfortunately, I found security holes with T-Square. These holes can allow a hacker to access another users’ identity. If that user is a teacher or TA, the hacker can easily take their identity and edit grades. In fact, due to the poorly organized structure of Georgia Tech’s backend, the hacker can not only access the user’s T-Square account, but also their Oscar account (which holds even more private information, such as social security numbers).

I would love to share how to exploit this security hole;  unfortunately, my moral compass forbids me to publish my video of an example T-Square attack… yet. I’ve contacted Georgia Tech and hopefully they will patch it up. After they do to my satisfaction… then maybe I’ll post it on YouTube.

Now I’m not making this post to brag. I’m making a point. A high-esteemed technical university such as Georgia Tech should be able to find these problems with their system. Web developers should be educated on the basics of computer security so that their student’s private records are not compromised.

One thought on “T-Square Security Holes”

  1. Sakai is open source. Fix it yourself and make a big deal out of it by releasing your fix the same day you reveal your exploit at a grey-hat security conference.

    This is the advantage of open source.

Leave a Reply

Your email address will not be published.