Hacker News new | past | comments | ask | show | jobs | submit login

I clicked through and skimmed for "losing my sanity". I didn't find anything - total clickbait headline - but it was interesting to note the utter lack of reasonable ACLing in the university's campus food-ordering system, as well as the social engineering "attack" of posing as users to post their project and get actual users to try it.



The loss of sanity I reckon was when they found out about all the backdoors and lax security the old system had. Incrementing int for id's, the session key being part of the url as a parameter, the XML. This may be something you're ok with but for those of us who care about security, this would drive me mad as well.


State University of New York used to famously use students' Social Security Numbers for their student ids up until around 2005. That student id was printed on your student id card and used for just about every system on campus.

They finally changed that system after lots of scams/fraud perpetrated against students brought the practice to media attention.

Wild.


This was pretty common. I went to two schools that did this in the late '90s and early '00s. T'was just a different time.


Wow... That's definitely worthy of a daily wtf.


I believe it was the same situation at Oregon state, around 2003.

Perhaps it was easier for the ID vendor to key against a registrar db.


I must've missed the hacking part. All I saw was a phishing expedition that resulted in them being able to log in as other users (and scrape their data)?




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: