October 11, 2009

• Insufficient Privilages

  My college has an emergency alerts system that sends email and text messages to registered students and staff in the event of an emergency.  Because of an error in how they set the system up, I was able to send a message to about 12,000 people last Wednesday.  (The error has since been corrected.)

  ---

  It started out simply enough.  I was just making sure that my contact information was up to date so that I would get any emergency alerts.  I saw that I was subscribed for alerts for both campuses, and I noticed that I could “Click for more information”.  This sent me to a page with a basic description of alert distribution list, an empty section that was labeled “Posts”, and a 3rd empty section I can’t remember much about.

  When I clicked on the “Add new post” button, I expected one of two things to happen.  Either I was going to get a message saying Insufficient Privileges, or I was going to find an online forum or message board.  Instead, I was presented with 2 text boxes, one for the text message and one for the email message.  At this point I was sure that the system waited until someone attempted to post a message before determining if the person had permission to send a message to the whole campus, which seemed somewhat sloppy.

  Just in case the system ended up letting me send a message out, and because it was accurately describing what I was doing, I decided  to send a message that said “Test – Manhattan_Campus_Alerts sent 12:20 P Central”.  This way people would not get a blank emergency alert, and I just felt like I should put something there.  I didn’t really think this through very far, otherwise I would have realized that if this works, I would be sending a message to everyone on campus, but I was still convinced that I was going to get a message telling me I wasn’t allowed to send this message.  Instead, within 15-20 seconds after pressing the send button and thinking “Why’d it send me back to the beginning?  Does that mean it didn’t work?”, I felt me phone vibrate with a text message – the text message I had put in the box on the web interface.

  After panicking for a few moments (well, hours really, but I started acting before the panic stage was over), I talked with a couple of older, wiser souls who encouraged me to call someone so that they would know that I wasn’t acting maliciously and so that they would know to patch the hole in their system.  As luck would have it, they guy I tried to call was out for the week.  Of course, I didn’t find this out until I got a call from the director of the department responsible for the alert system.  Luckily, he wasn’t too angry with me (I’m not going to jail, that’s enough for me).  He thanked me for treating it like a test rather than saying that there was a bomb on campus.  It turns out that even though any student could have sent a message, I was the only one who did.  Normally, only about 5 people are allowed to post to the emergency alert system.  He did request that I call before clicking anything critical the next time I try testing their security.

  Most people don’t know that I sent the message, unless they happened to be around while I was panicking about getting expelled or going to jail.  I have had a few suggestions about what I should have said instead of “testing”:

  • “Class is cancelled for today.  Please leave campus.”
  • “Long live Tony”
  • “Hey ladies, I’m single.  Give me a call at (###) ### – ####

  Then again, any of these messages would likely have resulted in some more serious punishments.  And for now, I’m just glad to have this whole experience behind me.

  • 10:46 pm
  • 2 Comments