A new report suggests that data of various Mount Kenya University students – both past and present – is being shared online in hacker forums. The data consists of names, general addresses, and phone numbers.
Touseef Gul, a Pakistani Penetration Tester, says the data includes records of 211,373 students both current and past from their admission lists to student and administrative information. Touseef Gul breakthrough on the cybersecurity space dates back to 2017, after discovering a vulnerability that could allow bypassing of GoDaddy’s site security tool.
This issue dates back to three years ago, according to Gul, who first discovered the vulnerability in Mount Kenya University’s website and database as well as those of three other Nigerian based Universities – Nnamdi Azikiwe University, (UNIZIK); Ahmadu Bello University, Zaria, and Salem University.
The loopholes were pretty easy to find on these websites, says Gul.
“With ABU, Zaria, for example, all I needed to do was type in portal.abu.edu.ng on my browser along with a few other characters, and I discovered the bugs,” he said in response to Nigerian technology blog TechPoint.Africa.
Gul says he reported the bugs to the universities a long time ago but only a few responded. Mount Kenya University did not bother. Same to ABU, Zaria.
Three years later, Gul recently performed another test to see whether the bugs were fixed. Unfortunately, Mount Kenya University and ABU’s website still haven’t patched the flaws – to date.
Nigerian based Ahmadu Bello University stored data to 256,370 of its students online including their login details — usernames and passwords – in plain text.
For Mount Kenya University, 211,373 students are affected. Hackers have already shared some of the data in various online hacker forums, according to Gul.
A shared CSV file in one hacker forum mid-May contains 1,525,787 lines of names, addresses, and phone numbers — all Kenyan. That means hackers might have scrapped other data from elsewhere and not just in Mount Kenya’s University’s database. Here’s what I mean; (*phone numbers and names are hidden for privacy).
This leaves the various affected students susceptible to online attacks.
It’s quite disturbing that a database can be left unattended to for all this time after being notified but teaching a Masters’s degree in Information Technology as well as Information Security (Cyber Crime).
We have already contacted Mount Kenya University for a comment, but they haven’t sent us anything back yet.