14 DAY TRIAL // A hacker whose hat is gray claims that he found multiple vulnerabilities in the website of University of Melbourne but even after informing the site administrators multiple times, they failed to patch up the issues.
The website is down and even though its owners blame the shut down on maintenance procedures, according to the hacker who calls himself St0rm, it was actually taken down because its administrators fear a potential hacking operation.
St0rm discovered that by taking advantage of an SQL injection vulnerability, he managed to access two databases that contained 147 tables which were filled with sensitive information.
After a few phonecalls, he managed to get in touch with the websites administrators who admitted that the situation was out of their hands.
Some further research from the hacker's part revealed that the university owned more than 40 domains, 3 out of which turned out to be vulnerable as well. All the databases he could access contained tons of information such as credentials, emails and phone numbers, and even though the administrator's credentials were properly encrypted, the members of the staff remained exposed.
Since the emails, tweets and phone calls had no effect, St0rm will make a statement on an Australian radio station in hopes that someone will finally fix the flaws.
“I've done nothing with the information, and I've not accessed any secret places within their site. I've mearly found a vulnerability and exploited it then tried to communicate with the site's admins. After failing which I've decided to talk on the Radio, to alert people and tell them it's going on,” he said.
The funniest part of his story is where the person from the front desk, after hearing everything he had to say, asked "Oh so are you selling us some software?"
If the story is in fact true, then it comes to prove that institutions have not yet learned from the mistakes of others. We are witnessing each day as databases which contain information that yells 'identity theft' are leaked on the internet and still organizations that handle private data fail to take the appropriate measures to prevent such incidents.