Easy reporting of website security problems

Two major educational institutions in India have a major security issue with their website (that contains student information) which has now been exposed to any roaming cyber-shark, This information was released rather irresponsibly on Twitter today.

This post is about the difficulty that I faced while trying to contact these organisations. None of the phones mentioned on their site contact page worked and the only listed email was a gmail based address.

Since these sites have exposed almost all their student contact information and other details I thought of contacting them so that they quick block access. But sadly all efforts to connect via phone have failed. Last recourse was to email their listed gmail address. Which I am sure is inundated with spam and so is not monitored regularly or even ignored.

Any organisation with a web site that is hosting student, patient, customer or private information behind an authentication framework should expect to get compromised, or as in this case affected by bad software design that allowed  admin login that can access all student records. When such a compromise is detected by the white-hats, pen testers and other cyber security outfits they generally tend to post it on their site and social network. A security report section should be made part of a standard website framework along with the  existing home, about, contact and blog sections. This makes is very easy to be informed about any security problems and resolution can be that much faster.

The Security Vulnerability Reporting section should contain the following:

A dedicated email address e.g. security.problem@domain.tld

A Security Vulnerability Reporting policy that defines the cyber warriors code of conduct;

  1. Don’t steal, corrupt or delete data
  2. Don’t disrupt or degrade service
  3. Disclose the vulnerability with technical details and proof-of-concept if necessary.
  4. Provide a  reasonable amount of time before public disclosure.

Of course, once this problem has been reported and fixed, then it’s the organisations responsibility to inform all the people whose data has been compromised. A general rule of thumb is that if the exposed data is likely to affect the person then they must be informed about the data breach. Email id, password and phone number are all valid candidates to trigger the “likely to be affected” alert. Especially passwords are very sensitive as its a common practice to repeat passwords for various services like email, Facebook, Twitter, Instagram etc.

Please don’t contact me for the school names.