One would expect that university websites, which host expansive databases and crucial student information, would be tight on security. But it turns out that the official website of the State’s only health university, the Rajiv Gandhi University of Health Sciences (RGUHS), gives easy access to enter and make modifications even to a student hacker.
There’s enough proof online that the official message board of the university, which serves as an interactive forum, has been breached more than a dozen times by hackers, who have left behind embarrassing messages damning the poor security of a premier university portal.
An “ethical hacker”, a student at a Bangalore college, demonstrated to The Hindu that the online teachers database management system and the online admission student management system are all easy to break in to.
For instance, this “ethical hacker” uses a simple SQL injection to log in to the teachers database management system, and while he’s wary of tampering with too much around the online admissions system — to remain on the safe side of the law, he shows that he can log in as “admin” and freely use the master panel to set up a new user (as a constituent college) and has access to lists of theory and practical marks.
Where did he find the password that enables him to function as “admin”? He didn’t have to look far: the log file, which is directly viewable, simply listed the password.
The student hacker demonstrates that it isn’t just the RGUHS which is lax about its websites controls or security. Even the websites of the Rani Channamma University, Belgaum, and Kuvempu University are easy to enter because, once again, their technology teams haven’t changed the default password.
Universities’ responseMeanwhile, two of the three universities brushed aside the concerns. While B.R. Ananthan, Vice-Chancellor of Rani Channamma University, Belgaum, expressed surprise about the vulnerability of his university website, Sriprakash K.S., Vice-Chancellor of RGUHS, said that they had not come across any problems so far.
S.A. Bari, Vice-Chancellor, Kuvempu University, said that there was no sensitive data stored in the website. H.N. Ramesh, CEO, Logisys, an university automation company that provides services to these universities, admitted that laxity with password was a common problem. He suggested that there should be a dedicated team maintaining the website and the contents must be regularly updated.