Hackers Demonstrate Lack of Basic Security on a Moscow University Website

  • A Moscow University that was responsible for the first round of Olympiads was taken down to fix flaws.
  • Hackers discovered and reported a very straight-forward way to access and edit information on the site.
  • The repercussions of this include the calumniation and invalidation of the competition while delaying it as well.

Hackers have discovered some pretty “elementary” vulnerabilities on the “org.mephi.ru” site, which currently accepts registrations for the first qualifying rounds of Olympiad competitions in physics. This is extremely critical for the validity of the competition since the hackers could change the participants’ scores, receive the problems in advance, gain access to other people’s sessions, change their answers, and arbitrarily declare the winner of their choice. Additionally, sensitive participant data exfiltration was also possible.

Being an Olympiad winner in Russia means getting awarded an enrollment to any university you want, including high-profile ones such as the Moscow State University, MGIMO, St. Petersburg State University, Phystech, Baumanka, and MEPhI itself. Due to the ongoing COVID-19 pandemic, these competitions have gone online, so thousands of students from across Russia are entering to test their mental skills.

According to sources in the country, hackers have found a way to break into the MEPhI website in a few seconds, as it was just a matter of changing three characters in the code to perform an SQL injection attack. SQL injection vulnerabilities are so easy to find that web developers rely on completely automated solutions in order to locate and fix them. This is why they are generally not prevalent, but they still may be present on platforms that were pushed online hastily or by people with a lack of technical understanding.

This was reported to MEPhI, which admitted the presence of SQL injection and XSS flaws and promised to amend the online portal and strengthen the security as quickly as possible. Currently, the MEPhI domain leads to a “dummy” page that doesn’t contain the registration portal anymore. At the same time, the deadline for the completion of the preliminary rounds of the Olympiads is expected to be extended.

MEPhI dummy webpage

According to experts in the field, there’s no severe risk of massive exploitation of these vulnerabilities, so this incident isn’t threatening the participants’ personal details but rather the competition itself. Most likely, someone would exploit the SQL injection vulnerability to declare themselves winners or do the same for someone else in exchange for money.

Surely, this was an embarrassing event for MEPhI (Moscow Engineering Physics Institute), which also has a department of “Cyber Intelligence Systems.”

Latest
How to Watch Grammys 2023 Online: Live Stream the Awards from Anywhere
The 2023 Grammys are around the corner, and you will find the date, time, performers, presenters, host, nominees, and everything else you...
Italy vs. France Live Stream: How to Watch Six Nations 2023 Online from Anywhere
Excitement among spectators has reached new heights as the Six Nations Rugby Championship 2023 draws near. France, the reigning champs, will get...
How to Watch ‘Murf the Surf: Jewels, Jesus, and Mayhem in the USA’ Online from Anywhere
Murf the Surf is a 2023 true-crime docuseries that pulls back the curtain on America's most infamous jewel thief, Jack Roland Murphy....
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari