Earlier this month I heard about a fuss over information leak out of ApplyYourself, a company that helps manage the admissions process for schools. Apparently they didn’t protect their information about admission status for students, and a particular URL would let students know how their application is doing. An entry in PowerYogi explains how it worked. Type the right URL into the browser and the you get the information.
Now, according to Reuters, Harvard Business School is rejecting applications from 119 students who took advantage of the ApplyYourself bug. Accepted Admissions Almanac posted a letter they sent to Business Week. They know which students looked at their application status since they used the session and user IDs that ApplyYourself gave to them. They weren’t being sneaky or trying to get information on anyone else other than themselves.
The information each student needed to get to the application status was gladly given to them by the web pages they were already allowed to view. I don’t see any “hacking” here.
Harvard Business School calls this “unethical”. Most businesses would call it “resourceful”, but that’s just another way schools and reality diverge. If anyone is to blame, it’s ApplyYourself and their inability to control the information or correctly authorize its viewing. They made it available, and people looked at it.
Simply not linking to information is not a security model.