Why I Love Being a Comp Sci Major
This is an email to my Psychology professor:
Professor,
Through observation I realized that the Sona System for the Psychology experiments may have a HUGE potential security flaw. The flaw has to do with user accounts and their assigned passwords. I noticed that when I received my username and password it was two letters followed by a four digit number. Last night while helping my friend find experiments, I realized that his password followed the same patten, but even more so, the first two letters are the user’s last initial followed by their first initial. I checked to see if there is any way to change the assigned password but there is not.
Through some quick analysis, I realized that someone with malicious intent who wanted to crack someone’s account, for example a researcher’s account, if they knew the email it would be extremely easy to crack their account. A user’s email provides two of the six characters needed for the password, the last 4 digits can be any number from 0-9, leaving only 10,000 (10^4) combinations for a person to try to crack the account, while this may sound like a lot, it can be done in a matter of seconds on a computer. It should also be apparent that finding someone’s email is very simple, as the email is provided in the experiments on Sona as well as when an experiment is completed.
I decided to dig a little further (for interest sake) into the possible combinations of all passwords which would be 26 * 26 * 10 * 10 * 10 * 10 or 26^2 * 10^4 which is 6,760,000 combinations. Again, while it may seem like a big number, cracking out this many combinations on a computer is extremely simple. I also thought of the case if a person knows someones first and last name, but not their email address. CSUN email addresses follow a pattern of firstname.lastname.XX@my.csun.edu, XX would be a 2 digit number 0-9, if a person knows someone’s first name and last name the maximum number of combinations is a million (10^2 for the 2 digits of the username * 10^4 for the 4 digits of the password).
I don’t really know the workings of the Sona System, but I think that you guys should address this major security flaw. I can only assume that the most that can happen is a person with malicious intent rewarding themselves or others with more credits because I’ve only seen the student side of things, but as a professor I’m sure you understand what abilities a researcher has versus a student.
Just to let you know, I tried applying my method on my own account and I was able to create a program to manipulate a web browser and determine if the correct combination was successfully logged in with a recorded password in about an hour. I did this in a language that I had zero knowledge about before this afternoon, so it doesn’t require any extremely complex logic for programming, I was actually able to do it in one of Apple’s more user-friendly scripting languages versus a full fledged programming language like C/C++/Java for example.
If you’d like my source code or any other information, let me know!
