Insecure Logins at 90 Colleges

Results as of 7-19-14

16/57 plaintext login pages fixed or improved (28%)
8/33 mixed login pages fixed or improved (24%)

How Common are Insecure Login Pages?

The big message is clear: Colleges have largely switched to HTTPS. The logins I am finding are clearly the colleges way at the back of the pack on this issue.

List of 90 Vulnerable Colleges

Notifications

I was not motivated to hunt through their Web pages to find specific email addresses to contact this time, so I just used grep to find all the domains ending in .edu and mailed to "security@domain.edu", as well as a few additional email addresses listed below.

I sent this message:

Security Problem on Your Network

Hello:

I am Sam Bowne, an Instructor in Computer Networking and Information Technology at City College San Francisco. If you want to know more about me, look at my Twitter profile:

https://twitter.com/sambowne

Your site uses one or more insecure login pages, which make it easy for hackers to steal passwords or other credentials. All login pages should use encrypted protocols, such s HTTPS.

This article may be helpful: "A basic guide to when and how to deploy HTTPS"

http://erik.io/blog/2013/06/08/a-basic-guide-to-when-and-how-to-deploy-https/

I published details of my study here, including the vulnerable URLs:

http://samsclass.info/125/proj11/insecure-logins.htm

Feel free to contact me if I can be of assistance.

Re-Notification

I therefore re-sent the email to abuse@school.edu, with this notice at the top:

Note: Many schools do not accept emails to security@school.edu, despite RFC 2142. I am therefore re-sending this to abuse@school.edu.

Details of Searches and Pages Found

Googling for:

inurl:edu login
inurl:edu login -inurl:https

Schools with Plaintext Login Pages

I don't really understand how any college with plaintext logins can be in compliance with privacy regulations like FERPA and HIPAA, since anyone can easily collect passwords and enter their "secure" servers. They are like a bank with no lock at all on the vault.

1. 4 Faculty

2. Agnes Scott College

3. Alabama State U

4. American Public U

5. American Sentinel U

6. Aspen U

7. Athens State U

8. Austin Community College

9. Bard College

10. Capella U

11. Coastal Carolina U

12. The College of St Rose

http://shibboleth.strose.edu/simplesaml/auth/login.php?
Plaintext! Fixed on 7-19-14, no longer uses authentication

13. Cornell

14. Corning Community College

15. Dallas Baptist U

http://www.jevin.net/jevin/login.pl
Plaintext! Down on 7-19-14

16. Durham Technical Community College

17. East Carolina U

18. EDUCAUSE

19. Fielding Graduate U

http://forums.fielding.edu/visible/aca-1/dispatch.cgi
http://moodle2.fielding.edu/login/index.php
Plaintext! Still the same on 7-19-14

20. Glogster

21. Henderson State U

22. Humphreys College

23. Independence U

24. Jones International

25. Johns Hopkins U

26. Kean U

27. Keene State College

28. Keuka College

29. Lewis-Clark State College

30. Lincoln Land Community College

31. Los Angeles City College

32. National U

http://www.curricunet.com/NU/index.cfm
http://community.nu.edu/community
Plaintext! Still the same on 7-19-14

33. Oklahoma City Community College

http://www.occc.edu/email/password.html
Mixed Still the same on 7-19-14

34. Rasmussen College

35. Rush U Medical Center

36. Santa Clara U

http://claranet.scu.edu/eres/login.aspx
http://astra.scu.edu/AstraSchedule7/Portal/GuestPortal.aspx
Plaintext Still the same on 7-19-14

37. Smithsonian Institute

info@si.edu security@si.edu oighotline@oig.si.edu

38. Southern University and A&M College

39. St. Joseph's College New Yprk

40. Stanford U

41. Style Sight

42. Texas Medical Center

43. Thomas U

http://faculty.thomasu.edu/login.asp
http://student.thomasu.edu/login.asp
http://www.thomasu.edu/Private
Plaintext! HTTPS on 7-19-14

44. U of Georgia

45. U of Maryland

46. U of Massachusetts Amherst

47. U of Massachusetts Boston

48. U of Minnesota

49. U of North Carolina Greensboro

http://libjournal.uncg.edu/index.php/jls/login/signIn
http://euc.uncg.edu/schedule/login.php?
http://integrity.uncg.edu/irb-zone/
http://www.uncg.edu/bae/gcs/exploration/login.html
Plaintext! Still the same on 7-19-14

50. U of Northern Iowa

http://www.library.uni.edu/login
Plaintext! HTTPS on 7-19-14

51. U of Wisconsin

52. UC Berkeley

53. UCLA

54. UC Santa Cruz

56. UC Riverside

57. West Point

Schools With Mixed HTTPS in HTTP Logins

1. Academia.edu

2. Academy of Art U

3. Caldwell College

4. Carnegie Mellon U

5. CCSF

6. California College San Diego

7. California State U Stanislaus

http://www.csustan.edu/Blackboard/
Mixed Still the same on 7-19-14

8. Connecticut Community Colleges

9. Dalton State U

10. Ferris State U

11. Georgetown U

12. Grand Rapids Community College

13. Hanford Community College

14. Illinois Institute of Technology

15. Ivy Tech Community College

16. Keene State College

17. Long Beach City College

18. Massasoit Community College

19. Mid-American Christian U

20. Northeastern U

21. Pierce College

22. Santa Monica College

23. Tennessee State U

24. U of Arkansas

25. U of North Carolina

26. U of North Florida

27. U of West Georgia

28. School of the Art Institute of Chicago

29. Southern Connecticut State U

30. Suffolk U

31. Webster U

32. William Patterson U

33. Wright State U

Statistics