The Daily Tar Heel
Printing news. Raising hell. Since 1893.
Friday, April 19, 2024 Newsletters Latest print issue

We keep you informed.

Help us keep going. Donate Today.
The Daily Tar Heel

A UNC student claims he has identified a number of weaknesses in the ConnectCarolina system that threaten the privacy of students and faculty alike.

Senior Winston Howes has pinpointed three major issues he worries could be exploited by hackers.

“It’s possible for anyone to see anyone’s grades across campus. It’s possible to change anyone’s grades on campus. On top of that, it’s also possible to view anyone’s financial information, from financial aid to information that parents or whoever are using to pay tuition,” he said.

Howes said he first noticed the issues in August 2013 while working on creating a new version of ConnectCarolina, known as ConnectCarolina 2.0, as a personal project.

“In order to build ConnectCarolina 2.0, I had to really dig around inside ConnectCarolina to learn how it’s working from the inside out,” Howes said. “(The issues) I found sort of spooked me.”

Howes said the University didn’t believe the weaknesses existed until he showed them how they could be exploited.

“I reported a bunch of security holes to UNC, and they told me they were working on them,” he said. “But when I came back around Christmastime, I had a meeting with ITS and the Dean of Students and I realized that none of these security holes that I’d brought up had been fixed at all.”

Susan Kellogg, deputy chief information officer for ITS, emphasized that while ITS takes all security concerns seriously, Howes’ accusations were “quite strong.”

“We’re also not aware that someone can view a student’s financial information unless that student has given them access to do so,” Kellogg said.

“People who aren’t supposed to be changing grades are not. They can’t.”

Howes said he believes that though the security holes are in an obscure part of ConnectCarolina, they still pose a real threat.

“There was confusion about who was at fault and who would be able to take ownership in fixing these things. Unfortunately, some of these things are related to core ConnectCarolina functionality, so fixing them without care could break a lot of other things,” he said.

Student Body President Andrew Powell recognized that it can take a while for issues to be fixed within large university systems. He and Howes have been collaborating with Information Technology Services over the past few months to work on closing security holes.

“When Winston approached me a few weeks ago, he still had concerns about security vulnerabilities,” Powell said. “He’s very knowledgeable about these things, so I asked him to keep me posted.”

Howes maintains that the weaknesses do exist and are not yet closed.

“I checked earlier (Tuesday) and the security holes are still open and not fixed.”

university@dailytarheel.com

To get the day's news and headlines in your inbox each morning, sign up for our email newsletters.

SUBSCRIBE NOW
Print Edition
Latest Print Edition
Special Print Edition
The Daily Tar Heel's Collaborative Mental Health Edition
More in Student Life
More in University