Security flaw found in OSCAR system, fix in progress

On Feb. 9, 2017 Tech OMSCS Askhay Sharma alerted the Institute of a possible security flaw in OSCAR that could allow people access SSNs, addresses, banking information and other sensitive information of any person involved with Tech. By allowing this backdoor to exist, Sharma says Tech is violating FERPA because of opportunity of unauthorized disclosure of personal information.

Additionally, the breadth of this flaw may affect more than just students at Tech.

“Not only does it affect current Georgia Tech students,” Sharma said, “but also alumni and even people who were rejected for admission or who got in and turned down an offer of admission because their information still stays in the system.”

In addition to pursuing his OMSCS, Sharma is a Security Researcher and Software Engineering Technologist. Five days after his initial report to the Institute, on Feb. 14, 2017, Sharma received an email back telling him that they had received his report and knew of the vulnerability. Between then and Wednesday, March 28, 2018, nothing was done to fix the problem.

After waiting over a year with no fix made, Sharma decided to go public with the information regarding the security threat. He wrote an article and posted it to the website on Monday, March 26, 2018 detailing how one could access the sensitive information in an effort to see if Tech would fix the issue.

The same day, Sharma reached out to the Technique with this information and the possibility of publishing a story. The main thing Sharma was worried about was the ease of access of the flaw.

“A lot of the security flaws I work on discovering are very technical,” Sharma said, “you actually have to exploit them. You don’t need a rocket scientist to discover this [one], it’s in the policy. I’m surprised it took them so long and that I had to come out publicly for them to patch this.”

At 3 p.m. on March 28, the Institute released a statement on the issue:

“Security Researcher Akshay Sharma, a Georgia Tech master’s student, notified the Institute of an authentication issue to the student course registration system known as “OSCAR.” The Institute has received the notification and has been working with the system vendor to identify a solution.  

To address this issue, direct access to the OSCAR system has been closed. Users are now required to access the OSCAR system through Buzzport, which requires two-factor authentication for access.  This issue is unique to the OSCAR system, all other campus systems remain secure.”

Sharma’s advice on fixing the system is to either shutdown the separate OSCAR system entirely, or reset the PIN of every person to a random number so that the flaw no longer persists.

While a fix is being found, students, faculty and staff hoping to access OSCAR must go through Buzzport.