Vulnerability in CampusNet:Addresses of over one million students exposed online

A vulnerability in the administrative software CampusNet allowed student addresses to be intercepted. A security researcher discovered this and reported the vulnerability to the Chaos Computer Club (CCC). The CCC coordinated the fix with the manufacturer – most of the affected institutions reacted quickly.

CampusNet is, according to its manufacturer Datenlotsen, an “integrated campus management system that helps [educational institutions] to optimize daily academic and administrative processes”. Many of CampusNet's functions are also accessible via the internet – searching for “CampusNet” reveals access portals page after page. Students can use these portals to manage their enrollment at the university, for example.

However, via a search mask, attackers could have assembled the addresses of all students with a little patience or automation – more than a million in total. The main problem: the search field, using the wildcard character “%”, also allowed searching for wildcards, then returning all matching data records. These included, for example, the names of all students enrolled at the affected educational institution in past years and currently.

When the researchers tried postal codes, street names, and house numbers, they received the names of all (former) students whose addresses contained the respective component. By cleverly forming intersections, the security researchers could assemble the complete addresses. This process can be easily automated to obtain a student directory. According to a CCC count, a total of 1,140,919 former or current students are affected by the data leak.

Manufacturer and universities reacted

After the CCC informed the manufacturer Datenlotsen, the DFN-CERT (Deutsches Forschungsnetz - Computer Emergency Response Team) and the 22 affected educational institutions on February 23rd, they reacted promptly: most institutions fixed the data leak on the same day, and access to the corresponding search mask now fails at all reported universities.

As the CCC writes in a blog post, some institutions did not manage to report back with a completion notice, but spokesperson Matthias Marx is nevertheless largely satisfied: “It is gratifying how quickly and professionally most universities reacted. Only four institutions apparently show little interest in future tips.”

Did data leak? Police academy also affected

For most students, the data leak is likely to be annoying – it helps criminals with identity theft. However, for those enrolled at the Hamburg Police Academy, further security risks could arise. It is unclear, however, whether data actually fell into unauthorized hands via the open wildcard search.

The affected universities and educational institutions were, in detail:

• Hamburg Police Academy
• Constructor University Bremen
• EBS University of Business and Law
• HCU Hamburg
• HFK Bremen
• Eberswalde University for Sustainable Development
• Neubrandenburg University of Applied Sciences
• Ruhr West University of Applied Sciences
• HS Osnabrück
• Kalaidos University of Applied Sciences
• Merz Academy
• New Design University
• THH Friedensau
• TU Darmstadt
• TU Dresden
• University of Bremen
• University of Hamburg
• University of Leipzig
• University of Mainz
• University of Paderborn
• University of Europe for Applied Sciences
• Center for Distance Learning in the University Association

Some impacted universities informed the respective state data protection and freedom of information officers (LfDI), and the CCC also contacted the reporting offices.

heise investigativ

Many heise investigativ investigations are only possible thanks to anonymous information from whistleblowers.

If you are aware of a wrongdoing that the public should know about, you can send us tips and material. Please use our anonymous and secure mailbox for this.

https://heise.de/investigativ

c't uncovered a similar security vulnerability in the university administrative software of HIS in 2020.

(cku)