Obtaining confidential information on other students in TAFE SA's Force system
During the month of January 2018 I enrolled for a certificate in the South Australian branch of TAFE. Later in the month I was accepted a position and swiftly pointed to a website to create an account and fill in various pieces of private and confidential information. The website was built on the Salesforce platform.
The site itself was interesting. On the surface it appears to be a forum platform including post/comment counts, followers, a complete profile to edit (including avatar) and other forum-esque features, however at least to the unprivileged user, completely locked down. We were informed that this website is how we will retrieve, submit and keep track of our work, reminiscent of Moodle. Currently I am able to upload files and manage them, however nothing else is public facing. Here is how the site looks to me currently (sitting on my profile page):
After playing around with the site for a little while as I do with any new service I use I stumbled upon a 404 page that is entirely not themed after the rest of the Force website:
This page appears to be a default Salesforce page. On the left side, a couple of interesting links appear. One of these links goes to one of the TAFE SA Force owners profile page. Nothing considerably interesting is found there, however the other link of interest proved to be something more.
The link pointed to a page located at "/community/s/detail/00X0X0000XXXXXX", This page held every piece of confidential information I provided when first signing up. This data included my full name, home address, mobile/home phone number, email address, employment status, education history, VET loan status and other confidential pieces of information. Disturbingly, this page also contains a widget and link that points Google maps to my house. Here is an image of the page and confidential information it contains (open the image to view it larger):
Interestingly, I have the ability to email myself, edit my information and clone the information(?). Every piece of information on the page I could edit. Cool, but mostly pointless, except that clone feature, what does that do? It seems like it allows me to clone my information into a separate entry of which I had complete ownership over. This could be an issue if spammed, but nothing worth complaining about.
While playing around with this page I decided to increment the last alphanumeric character in the URL, and to my surprise a profile appeared. Except this profile wasn't my own and was of another student. All of the information that was available on my page was available on this page as well. Their phone numbers, email address, home address, employment status, all there visible for me - I even had the permission to edit and clone this account. Now, this is problematic and worth complaining about on its own. But it didn't stop there, further incrementing of the last URL character took me to other profiles, going back a character and altering that let me access other profiles. The results were not always consistent, and I didn't spend that much time playing around, however the fact I had access to view and alter this information was appalling. Just to mention it again, these pages had Google map links to the students houses.
I swiftly reported this issue and it was fixed the following Monday (This was reported on a Saturday). While not a particularly entertaining or thrilling story, it goes to show just how poorly some companies and institutions handle information security. Something this simple may be easy to overlook and have incorrect default permissions in place, however the response I received hinted at them not knowing one was able to access their own information, let alone that of other students.