Hackers Demonstrate Lack of Basic Security on a Moscow University Website
Hackers have discovered some pretty “elementary” vulnerabilities on the “org.mephi.ru” site, which currently accepts registrations for the first qualifying rounds of Olympiad competitions in physics. This is extremely critical for the validity of the competition since the hackers could change the participants’ scores, receive the problems in advance, gain access to other people’s sessions, change their answers, and arbitrarily declare the winner of their choice. Additionally, sensitive participant data exfiltration was also possible.
Being an Olympiad winner in Russia means getting awarded an enrollment to any university you want, including high-profile ones such as the Moscow State University, MGIMO, St. Petersburg State University, Phystech, Baumanka, and MEPhI itself. Due to the ongoing COVID-19 pandemic, these competitions have gone online, so thousands of students from across Russia are entering to test their mental skills.
According to sources in the country, hackers have found a way to break into the MEPhI website in a few seconds, as it was just a matter of changing three characters in the code to perform an SQL injection attack. SQL injection vulnerabilities are so easy to find that web developers rely on completely automated solutions in order to locate and fix them. This is why they are generally not prevalent, but they still may be present on platforms that were pushed online hastily or by people with a lack of technical understanding.
This was reported to MEPhI, which admitted the presence of SQL injection and XSS flaws and promised to amend the online portal and strengthen the security as quickly as possible. Currently, the MEPhI domain leads to a “dummy” page that doesn’t contain the registration portal anymore. At the same time, the deadline for the completion of the preliminary rounds of the Olympiads is expected to be extended.
According to experts in the field, there’s no severe risk of massive exploitation of these vulnerabilities, so this incident isn’t threatening the participants’ personal details but rather the competition itself. Most likely, someone would exploit the SQL injection vulnerability to declare themselves winners or do the same for someone else in exchange for money.
Surely, this was an embarrassing event for MEPhI (Moscow Engineering Physics Institute), which also has a department of “Cyber Intelligence Systems.”