Four years ago, I discovered that an applet on my college\'s website sends SQL q

Question

Four years ago, I discovered that an applet on my college's website sends SQL queries directly to a server application. The databases contain nominal and personal information about students and grades, and possibly more (SSNs?), but I'm not sure as I haven't tried anything, because I'm a good person.

In December 2010, I warned them of the potential vulnerabilities, and they thanked me. I know for a fact that the CTO was warned.

Four years later, the application is still up. The mechanics haven't changed, and the (deobfuscated) packet capture still shows SQL requests going to the server from the client. It could be that the server somehow checks them against a list of valid requests or something, but I can't be sure, and there are probably a few tripwires that I don't want to risk triggering without formal authorization

Explanation / Answer

If you are no longer a student in that college, then you could sue them for not applying due care in the handling of your personal data. Technically you could also do that if you are still a student there, but no longer being a student means that they would have a harder time retaliating if they are so minded.

The crucial point here is that being a potential victim gives you an acceptable reason for putting your nose in these matters. Otherwise it would be all too easy to flag you as an Evil Hacker

Related Questions

Navigate

• Browse (All)
• Browse F
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.