Shostack + Friends Blog Archive


USC Admissions, 320,000 SSNs, SQL Injection

A programming error in the University of Southern California’s online system for accepting applications from prospective students left the personal information of as many as 320,000 users publicly accessible, school officials confirmed on Tuesday.

“Sap,” discoverer of the vulnerability in USC’s Web application
The flaw could have allowed an attacker to send commands to the database that powered the site by using the user name and password text boxes. USC’s Information Services Division confirmed the problem and shuttered the site this week as a precaution. The university believes only a handful of records were actually accessed and plans to contact each person.

The vulnerability in USC’s online Web application system is a relatively common and well-known software bug, known as database injection or SQL injection. A lack of security checks on user input allows a hostile user to submit a database command rather than a log-in name. The command could cause the database to send its information back to the attacker or aid the attacker in compromising the computer system hosting the database.

So reports Rob Lemos in “Flawed USC admissions site allowed access to applicant data,” at SecurityFocus.

USC claims that far fewer people were affected, without giving us reason to believe them, like “We were able to find the intrusions in our logs.”

2 comments on "USC Admissions, 320,000 SSNs, SQL Injection"

  • Chris Walsh says:

    320K records exposed, and this was information from applicants? Either there was a good deal of historical data there (eg., applicants from previous years), this wasn’t just applicant data, or USC is way more popular than I thought.

  • Adam says:

    Storage is cheap! Why throw the data away? You might want to do research on what percentage of applicants you reject whose social security number ends with a prime.

Comments are closed.