GHOST IN THE SYSTEM
‘Bug’ in Wits University website renders prospective students’ details easily accessible
The university says the ‘bug’ has been fixed after it was alerted on Monday and it will deal with the saga using the Protection of Personal Information Act and its internal disciplinary policy after the ICT helpdesk failed to respond to a ‘tip-off’ in July.
The IDs, emails and addresses of prospective students who applied for admission at the University of Witwatersrand in the past five years could be easily accessed since July 2023.
Daily Maverick has learnt that a flaw in the university’s website that allowed this was found by a 22-year-old prospective student, Cameron Holm.
Holm, who has a Bachelor of Computer and Information Science majoring in Software Development, said he found out in July that details of prospective students were easily accessible on the university’s website.
At the time, Holm said he was applying for a BCom Hons in Information Systems at Wits.
Holm said he discovered a flaw in Wits’ system where he had access to the names, IDs, addresses and emails of every applicant to the university for the past five years.
Read more in Daily Maverick: Cyberattacks – South Africa needs an integrated approach to protect critical infrastructure
He said he reported the matter to Wits’ ICT helpdesk without any success.
“More than a few at the ICT helpdesk assured me they would get back to me and they would take the issue higher.”
‘Ghost account’
Holm said it seemed that the Wits system had been vulnerable since 2019.
“There is a weird ghost account you can accidentally access very easily by accident,” Holm said.
He said there were applications in limbo in that account going back to 2019.
“And trust me, this vulnerability is something I did for my very first class in cybersecurity,” he said.
Holm said whoever created it was either ignorant or did not have regard for anyone’s personal safety.
It’s unclear whether anyone else accessed the data.
Wits responds
Wits spokesperson Shirona Patel confirmed on Tuesday that “an individual found a bug” in the university’s application system.
“We understand that the individual, who we believe has a background in cybersecurity, was able to manipulate a URL to access the system,” Patel said.
She said the matter was brought to the attention of the chief information officer on Monday.
Patel said the “bug” was immediately fixed.
“The university views this matter in a serious light and will deal with the matter in accordance with the provisions of the Protection of Personal Information Act.”
She said they were trying to determine who was contacted at the ICT helpdesk and why if there was such a report, it was not attended to immediately.
“If any employee is found to have erred, the university will manage the matter in line with its rules for staff discipline, policies and procedures,” she said. DM
Comments - Please login in order to comment.