Before the fix, the situation was as follows: if you ordered something at Hubble, you would get a receipt with a number that you could use to track your order, both on the screens inside the café and on a website listed on the receipt.

Hubble kept track of orders in a separate system, and therein lay the vulnerability; a form whose input wasn’t filtered. So you could enter order numbers, but also texts or images. “That really is a typical beginner’s mistake,” says Söntgerath.

What was a real risk Hubble faced due to this mistake? “It was a Cross Site Scripting (XSS) vulnerability. I could enter anything I wanted in that form, which would then be executed in the visitor’s browser,” says Söntgerath. “For example, I could insert an image that I host on my own server. And anyone who has their own server can track the traffic going to that server and, for example, view the IP addresses of Hubble visitors.” The student knows that messing with orders – of a café, in this case – that may or may not be ready is not the end of the world, but it’s the principle that matters to him.

How do you discover such a vulnerability? Söntgerath is eager to share: “I had ordered food and had to keep refreshing the page to see if my food was ready. So then I thought: ‘What if I just write a WhatsApp bot that sends me a notification when it’s ready?' I started investigating how those numbers are placed on the site, and as it turned out, they came from this unsecured form.”

Responsibilities

Hubble Community Café was asked about the leak and whether it has been fixed. A board staff member informed that the problem has been resolved by removing the entire feature from the website. “The system is outdated and is no longer used as the basis of the underlying system. In fact, the website has since been taken offline completely pending its replacement, which will only display the order numbers.”

TU/e Chief Information Security Officer (CISO) Martin de Vries explains that websites of organizations not affiliated with TU/e are the responsibility of those organizations themselves. “Nevertheless, we think it’s important in general that organizations are alert to these kinds of reports and actively address them.”

The student does not consider the fact that Community Café Hubble is not part of TU/e itself particularly relevant. “I understand that this organization is not part of TU/e, but it is located here on campus. The TU/e community is clearly the target audience of this café. You can’t separate that, as far as I’m concerned.”

Raising awareness

CISO De Vries says he has no insight into the technical details of the Hubble leak and cannot comment on the matter. He does say that it is a good thing, in general, for websites to be checked for vulnerabilities. An organization can do this by conducting (or having conducted) a so-called security penetration test.”

“There is also a Responsible Disclosure arrangement, where external persons – for example, an ethical hacker – can report discovered vulnerabilities to the organization for fixing. Such a Responsible Disclosure arrangement is important for the ethical hacker because checking and/or testing a website without one can be a punishable offense.”

Söntgerath thinks it is important to raise digital awareness and reported the error through that RD arrangement, among other ways. “I think it’s important to be more aware of proper website and system security, especially in light of the cyber-attack at the beginning of this year. Every leak can potentially lead to a hack. And it took months for this to be addressed, even though I know it was easy to fix,” says the student.

Own goal

“The Hubble leak was a mistake that no one who programs websites should ever make,” Söntgerath believes. “It’s like scoring an own goal in soccer. The impact was relatively small this time, but it could have much bigger consequences in other areas of the university.”

That would be the case, for example, if a website were used by a much larger number of people or connected to critical (TU/e) systems, which Hubble assured was not the case here. “The Hubble servers are also not located on the university campus and are not connected to the university’s network, nor to Hubble’s critical systems. This is because Hubble’s critical systems are outsourced to an external party,” Hubble assures.

The Hubble board acknowledges the error, but is not worried that it would have had a major impact. “This mistake occurred because an outdated system was in use. Hubble was founded by and for students. This means that systems are created by students on a voluntary basis and as a result, things like this can happen.”

Jan Friso Groote, professor at the Department of Mathematics & Computer Science, tries to put the error into perspective by means of a clear analogy. “Sometimes, programming errors sound abstract and it’s difficult to weigh their severity. But you can compare this kind of mistake – big or small – to leaving the door to your house or car open. It’s usually fine, sometimes there’s a lot to steal, sometimes little. But the fact is that the world has changed significantly and it’s better to lock the door properly these days.”