CampusBase vulnerability exposes student information — again

AMS CampusBase is facing renewed privacy concerns as a security vulnerability allowed users to log in to another user’s account and view their personal information before the company resolved the issue.

By using a browser’s developer tools, third-year computer science student Edward Vo found that when creating a new chat, a server response contained URLs that allow you to edit the profile of any user you were suggested to chat with.

When clicking those links, the website logs you in as that user.

Vo also found that a user could use their unique session identifier given by AMS CampusBase to log in to other universities’ version of CampusGroups.

By exploiting the chat vulnerability, a user could log in as someone from another school.

Users could log on to CampusGroups at other schools.
Users could log on to CampusGroups at other schools. Screenshot MIT CampusGroups

If a profile with administrator privileges is listed in the chat feature, then a user could log in to that administrator’s account. That session identifier could then be used to obtain administrator access on any version of CampusGroups — this includes viewing the records of all clubs and students on the site.

Yorick Ser, CEO of CampusGroups, the company behind AMS CampusBase, said that the company became aware of the issue after an unspecified UBC student raised concern between noon and 1 p.m. today, resolving it within the following 10 to 15 minutes.

“Basically, it was a bug that we uncovered here and fixed right away,” he said. “ … We are constantly reviewing the code. Obviously this one was not found by our team.”

CampusGroups Chief Technology Officer Albert Richard said that the company conducts weekly vulnerability screenings pursuant to industry standards, but this vulnerability “fell through the cracks.”

“We're going to have some serious discussions with them and understand what's going on, what happened and what we can do to prevent this from happening again,” Ser said.

As of publishing, the profile links were no longer viewable and users were unable to log into other schools’ CampusGroups platforms. When an ‘Edit profile’ link is clicked, the site returns an error message.

When an 'Edit profile' link is clicked, the site returns an error message.
When an 'Edit profile' link is clicked, the site returns an error message. Screenshot AMS CampusBase

Vo said he discovered the vulnerability late last week while playing around with the CampusBase website. As a computer science student, he said he had been working on a similar platform for students and clubs.

It wouldn’t take much for anyone with knowledge of web development to stumble across the vulnerability, he said.

“As a student, I am actually very upset. I would be even more upset if the AMS was to continue using CampusBase because this is, to me, very weird that security wasn’t designed into it from the start. It was clearly an afterthought,” said Vo.

“This is a mistake that shouldn’t be in a platform that the AMS is paying $50k a year for.”

Cole Evans, AMS president, said the amount it pays CampusGroups is confidential under their five-year contract. However, there is a $51,550 line item for “Clubs and Societies Systems” in the 2020/21 AMS budget.

Evans added that the AMS has no intent of changing relationship with CampusGroups.

“We’re extremely confident that no student data was maliciously accessed during this time, and CampusGroups will also be doing an audit of their system to verify that,” he said.

CampusBase is the AMS’s replacement to the retired Clubhouse system, which clubs criticized for its difficulty of use.

In August, The Ubyssey found ahead of the CampusBase launch that users could view over 40,000 students’ personal email addresses or student numbers in the search function. The AMS fixed the issue later that day.

Evans said that the platform posed no risk to students’ privacy.

“Students should be no more concerned about their data with the campus-based platform than they would be with any other system that they store data on,” he said.

The AMS said it had conducted an internal privacy assessment of CampusBase, but Vo said it was a “red flag” that the society did not release the results.

AMS President Cole Evans promised to release its privacy assessments of CampusBase at the AMS’s annual general meeting on October 29, but the society has yet to do so.