Cybersecurity teams within the Information Technology Systems department at the University of Connecticut have recently fixed a webpage vulnerability, one user on the internet says. The weakness, which could have been exploited by bad actors, was originally reported last week on the UConn forum on Reddit.
“I found a serious vulnerability on the UConn website that I was trying to reach out to find help in terms of finding the correct person to report it,” the user who originally posted about the weakness, going by the screen name PKHacker1337, said. “Since then, it appears to have been fixed.”
The security issue purportedly involved UConn’s use of an older version of the FCK Editor software, which allows users to edit webpages in “WYSIWYG” (what you see is what you get) mode as opposed to code in specialized markup languages. Usually, editors using the software need to be logged in and authorized, but it was found that certain parts of the software’s code could be executed by unauthorized parties — potentially including malicious hackers.
PKHacker1337 said they attempted to contact ITS but was initially unsuccessful because they’re not a member of the UConn ecosystem. After a member of the ITS staff inadvertently saw the post and reached out over Reddit’s messaging feature with more details, the issue was properly diagnosed, a follow-up post said.
“I know that once [the security vulnerability] was reported, they fixed it pretty quickly,” said Keith Parks, a computer technical support consultant for ITS’ help desk in the Homer Babbidge Library.
ITS has its own division dedicated to assessing potential weaknesses in UConn’s computer systems and responding to risks. Because UConn uses software and hardware products from different developers, manufacturers and vendors, continual efforts are made to keep sensitive data secure from outside tampering.
FCK Editor was replaced by another product in 2010 after these types of security issues were found. Bleeping Computer, a cybersecurity and technology news webpage, reports that schools such as MIT, Columbia, Purdue and state and international governments fell victim to FCK Editor weaknesses. They were targeted by malicious parties using their .edu link to send unsuspecting visitors to scams, pornography and fake pages, making it appear that the schools endorsed or hosted them.
PKHacker1337 detected the same issue on the websites for Duke University, Marist College, FIU, the US Department of Veterans Affairs and FedEx.
This isn’t the first time Huskies may have been “caught in the crossfire.” In 2023, UConn was the target of a cyberattack by a hacker group known for infiltrating government agencies. They exploited a portion of UConn’s listserv network to send a hoax email announcing the death of University President Radenka Maric. The SeigedSec group said they did it “for the lulz” — and ITS quickly patched the weakness which made the hack possible — but have intercepted and stolen sensitive data previously.
While every effort to protect student and university data is being made regarding known threats, bad actors and criminals develop new phishing and hacking strategies daily, so ITS warns it’s important for students to stay vigilant and aware of scams that may target them and their personal information.
“These attacks are often designed to appear urgent and panic recipients so that they take immediate action before verifying the legitimacy of the claim made,” ITS’ webpage on phishing reads. “All a phisher needs is your email address, and they can easily send you a fraudulent and misleading email. Education and awareness are the keys to protecting yourself and your private information.”
Common phishing attacks look like legitimate emails or texts but often have tell-tale signs like bad spelling and grammar, lack of credible contact information, being sent from mismatched addresses and have suspicious links and attachments. Other computer scams involve “ransomware“, where criminals lock your computer and demand exorbitant figures and take advantage of “back doors” to infect other computers in your home or organization.
“If you have questions about a request or think you’ve been compromised, don’t be afraid to call or email ITS, or visit the help desk in the library,” Parks says.
One important thing students can do is use two-factor authentication, which is offered through Cisco Duo at UConn. Requiring confirmation of each login attempt can help keep your and UConn’s data more safe and secure, ITS says.
There are numerous resources UConn makes available to students and staff to help them be aware of cybersecurity, like webpages, tips and videos. More information is available at security.uconn.edu.