Slashdot Mirror

← Back to Stories (view on slashdot.org)

Harvard Business School: You Peek, You Lose

Posted by ryuzaki0 on from the apply-to-the-heisenburg-school-instead dept.

mosel-saar-ruwer writes "Seems Harvard Business school was using the ApplyYourself web service to process applications. Sometime in the last few days, an anonymous hacker, known as 'brookbond', was able to crack the system, and discovered that Harvard had already posted acceptance letters to the website fully a month before they were to be mailed to their recipients. He posted instructions on how applicants could view their letters at the BusinessWeek forums, and approximately 119 applicants followed his advice. Today, the dean of the Harvard Business School, one Kim Clark, announced that none of the 119 would be admitted: 'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"

5 of 802 comments (clear)

  1. Stanford B-school position by peter303 · · Score: 4, Informative

    Stanford Business School said it had 42 illegal accesses. However, Stanford's initial position is to ask the applicants who accessed to identify themselves. I wonder if they are making forgiveness for honesty, because like Harvard, they know exactly where the accesses occurred.

  2. Re:Deserved by Pastis · · Score: 5, Informative

    From the article:

    Metheny also noted that individuals could only access their own personal admissions responses--not those of other applicants.

    --
    Sneak teach kids Algebra using a game
  3. Re:Curious by thelen · · Score: 4, Informative

    Ditto. The difference is between trying to elicit a desired response by breaking the server (like in a buffer overflow or bypassing security with a password cracker), and utilizing a well-known protocol in a normal way. HTTP is just a way of asking for information, and if you simply ask a server for something it's the server's duty to make sure it wants to honor the request.

    Beyond that, I can easily imagine someone leaping at the chance to figure out if they're going to get into their dream school. This is a major overreaction on the part of HBS.

  4. Not hacking. Bug fixing by Error27 · · Score: 4, Informative

    The trick was you had to type in the following URL.

    https://app.applyyourself.com/AyApplicantMain/Ap pl icantDecision.asp?AYID=89CFE0A-424C-4240-Z8D0-9CR5 2623F70&mode=decision&id=1234567

    The AYID=89CFE0A-424C-4240-Z8D0-9CR52623F70 was in the URL bar when you logged into the site. You could figure out the id=1234567 from hitting view source once you were logged in and searching for ID.

    I look at that and I think, maybe they didn't make the URL clickable because of a bug in the system. These students basically just found a bug fix.

  5. Re:Instructions? by TCQuad · · Score: 4, Informative

    O'Reilly has an article (appropriately titled "Not linking is not security") which includes a link to the detailed instructions for this "hack".

    Basically, you scan the source of the page after login for your ID number and the security hash. Then you append that to your URL. The process is a whole seven steps and in the realm of nefarious hacks it's... neither.