This is fucking bad. I just stumbled across a database online, unencrypted plain text containing ALL details of thousands of students at my university. Full names, ID number (SSN), student numbers, address, family info, medical aid info, physical fitness reports

What do I do? I was not on any VPN or proxy when I accessed it

Contact the Dean of Students (or equivalent)?

@Gophyr
I dont want to touch the whole situation, last thing i want is to get sued now and companies in my country are known for lashing out when they fuck up

Just found my own information, goddamit

Send anonymous message, they can’t blame you of using the Internet, and students have probably more reasons to sue them than them sueing you

You could also try to get a group of people that you can trust to signal them the problem without mentioning you

Unencrypted? Stumbled upon?
With such lax security, it's exceedingly unlikely they're monitoring it for "intrusions."

This made me fucking cringe, that’s NOT okay. How does one even allow such a huge security slip up to occur?

That’s horrifying. Like others have said, if you fear repercussion of reporting this, do it anonymously. But my two cents, if they punish you for saving their ass and you have the fear that they may sue you, it’s definitely time to find a different school.

I know that’s a huge change, but fuck that man. I wouldn’t want to attend a college or work at a place where an act that would protects their ass makes them place a target on my back.

White hat security researchers and people that find someone else’s fuck up shouldn’t be punished for reporting anything, period. I’ve seen this shit before and it pisses me off.

@simpleJack Well the main question is how did you stumbled upon this database? What were you looking for in the first place? This will be the firat question anyone will ask.

Easy, sue them

@Crayons leaving a reply cause I'm just as curious

@Crayons I too am curious. Leaving a reply to follow the thread.

To all those wondering how i found it, i was editing my own profile when i noticed my id in the url, for shits i tried replacing it with my friends ID and all his details popped up, i then used a wildcard and the server dumped 14k profiles (there were more but i stopped it)

The basic issue is students can access and edit their profiles but no system had been put in place to verify that it is actually you editing the profile, this means you can edit anyones data or just dump it all

@simpleJack I think you should report this to someone you trust. Its a much bigger issue for your university then you. Secondly, i am sure they wont sue you for this. Bcoz if they will sue you and this goes to public then its bad PR for your University.

Update: you can change other users emails and passwords, furthermore, server does not validate client side input, was able to query anything

This is what makes it so easy to fake who you are and dump other users profiles

@simpleJack Lol, well altering will be the thing that gets you in trouble, I wouldn’t hold on to that DB any longer than you already have without reporting it man, the longer you wait, the longer it’ll look suspicious as to why you didn’t speak out sooner.

And if they know what they’re doing (it doesn’t seem as though they do if this is wide open) but it may still log IPs. Stay safe.

@AnonyOps
Yeah i didnt actually change anything i just saw thats its possible, im done with whole thing now

@simpleJack You can formally ask them what would be the desired procedure you should follow to warn them , should the unlikely possibility that you discover some kind of vulnerability in their systems occurs - no need to say or admit you have already found one. If the answer is ok for you , I guess you can proceed.

I'd love to take a look at that DB 😁

@StazC honestly, same.