Slashdot Mirror

← Back to Stories (view on slashdot.org)

Harvard Business School: You Peek, You Lose

Posted by ryuzaki0 on from the apply-to-the-heisenburg-school-instead dept.

mosel-saar-ruwer writes "Seems Harvard Business school was using the ApplyYourself web service to process applications. Sometime in the last few days, an anonymous hacker, known as 'brookbond', was able to crack the system, and discovered that Harvard had already posted acceptance letters to the website fully a month before they were to be mailed to their recipients. He posted instructions on how applicants could view their letters at the BusinessWeek forums, and approximately 119 applicants followed his advice. Today, the dean of the Harvard Business School, one Kim Clark, announced that none of the 119 would be admitted: 'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"

10 of 802 comments (clear)

  1. Ahem... by inertia187 · · Score: 2, Informative

    ApplyYourself web service isn't actually a web service (not SOAP, not REST). An *anonymous* hacker *known* as "brookbond." Their letters weren't *at* BusinessWeek Forums. Unethical behavior discouraged by a business school (pot meet kettle).

    See any serious problems with this story? ...Ahem...fp

    --
    A programmer is a machine for converting coffee into code.
  2. Stanford B-school position by peter303 · · Score: 4, Informative

    Stanford Business School said it had 42 illegal accesses. However, Stanford's initial position is to ask the applicants who accessed to identify themselves. I wonder if they are making forgiveness for honesty, because like Harvard, they know exactly where the accesses occurred.

  3. Re:Deserved by Pastis · · Score: 5, Informative

    From the article:

    Metheny also noted that individuals could only access their own personal admissions responses--not those of other applicants.

    --
    Sneak teach kids Algebra using a game
  4. Re:Deserved by pedantic+bore · · Score: 3, Informative
    A combination. You need to have a login and password, and then you need to know the secret URL (which I guess would have been mailed to the applicants in the fullness of time).

    So they can be pretty sure that if person X's letter was viewed, it was viewed by person X or someone who knows the password of person X.

    --
    Am I part of the core demographic for Swedish Fish?
  5. Weird... by CrazyTalk · · Score: 3, Informative

    Almost the exact same thing just happened at the CMU business school; this was in the paper today. When I saw the slashdot article, I just assumed it was about the folks that broke into the CMU admissions website (and were also banned by the school as a consequence)

  6. Re:Curious by thelen · · Score: 4, Informative

    Ditto. The difference is between trying to elicit a desired response by breaking the server (like in a buffer overflow or bypassing security with a password cracker), and utilizing a well-known protocol in a normal way. HTTP is just a way of asking for information, and if you simply ask a server for something it's the server's duty to make sure it wants to honor the request.

    Beyond that, I can easily imagine someone leaping at the chance to figure out if they're going to get into their dream school. This is a major overreaction on the part of HBS.

  7. Don't take it with complete confidence by Anonymous Coward · · Score: 1, Informative

    Although this is mute in this case, because of Harvard's actions, anyone aspiring to do something similar for another school ought to be given a word of warning. Just because your name is next to the word "accept" in a database somewhere doesn't mean you're getting in. A lot of the time, admissions offices (including the one I work in) will establish an initial list of accepts but then pare it down if the class is too big. So just don't announce anything to your friends and family and make plans to move - you may yet be up for the axe. You won't know you're in until that thick envelope arrives.

  8. Not hacking. Bug fixing by Error27 · · Score: 4, Informative

    The trick was you had to type in the following URL.

    https://app.applyyourself.com/AyApplicantMain/Ap pl icantDecision.asp?AYID=89CFE0A-424C-4240-Z8D0-9CR5 2623F70&mode=decision&id=1234567

    The AYID=89CFE0A-424C-4240-Z8D0-9CR52623F70 was in the URL bar when you logged into the site. You could figure out the id=1234567 from hitting view source once you were logged in and searching for ID.

    I look at that and I think, maybe they didn't make the URL clickable because of a bug in the system. These students basically just found a bug fix.

  9. Re:Instructions? by TCQuad · · Score: 4, Informative

    O'Reilly has an article (appropriately titled "Not linking is not security") which includes a link to the detailed instructions for this "hack".

    Basically, you scan the source of the page after login for your ID number and the security hash. Then you append that to your URL. The process is a whole seven steps and in the realm of nefarious hacks it's... neither.

  10. Re:Since I'm one of the 119... by henrygb · · Score: 3, Informative

    At this point, a blogger named PowerYogi posts the technique to his blog which can be found here. It seems to involve copying two identification numbers from a linked asp page to an unlinked asp page.