Student Uses WebSIS Loophole To Make 'Hot or Not?' Web Site
“MIT Hot or Not?” is definitely not. After only a few days in operation, an MIT version of the popular “Hot or Not?” Web site was taken down after its creator received complaints from students.
Anthony W. Scelfo ’04 created the site, http://hotornot.mit.edu, which ran off his personal server. Scelfo said that he made the site for fun after learning that the degree audit page on WebSIS featured publicly available photos of students.
“You could just view the image in a new browser,” Scelfo said. With an MIT certificate, the images were “directly accessible by URL.” Scelfo said he stumbled across the glitch in WebSIS while exploring the recently-updated degree audit page.
Originally, Scelfo had a password protecting access to his server, which he e-mailed out to friends. However, he said that the password was soon sent out over the mit-talk mailing list. “From about 3:00 p.m. to 7:00 p.m. on the day I took it down, there were about 15,000 pictures that were loaded,” Scelfo said.
Once the site started receiving heavy traffic, Scelfo said he also began receiving feedback. “I got a couple e-mails, some were positive, some were negative,” Scelfo said. After hearing some complaints about the use of photos, he voluntarily took down the site. “I didn’t want it to be as freely available as it was,” Scelfo said.
WebSIS altered to protect photos
Robert A. Rippcondi, director of Student Services Information Technology (SSIT), which runs WebSIS, said that the site brought “a vulnerability in WebSIS” to SSIT’s attention. Rippcondi noted that “the posting of student pictures to a Web site without student permission” violates MIT’s information policy. As a result, “we plugged that vulnerability,” Rippcondi said. “No functionality has changed.”
Rippcondi said SSIT did not yet know why the photos were publicly available. “We’re actually uncovering that right now,” he said.
Under MIT’s Student Information Policy, which is based on the Family Education Rights and Privacy Act (FERPA) of 1974, identification photographs are included as “education records.” The policy states, “Students have the right to withhold directory and other information from public distribution. Faculty and staff must receive permission from each student to post personal information and identification photographs to web pages.”
While the photos Scelfo used for “MIT Hot or Not?” were publicly available, he did not obtain permission to use them. Rippcondi said that that MIT Stopit was dealing with “MIT Hot or Not?” rather than SSIT. Stopit handles cases of misuse of MIT’s computer systems. “I think at this point Stopit is just dealing with it,” Rippcondi said.
However, Scelfo said that he had not been contacted by anyone other than MIT students regarding the site, including Stopit. “I didn’t hear anything from WebSIS,” Scelfo said.
No definite plans for new site
Despite the high traffic “MIT Hot or Not?” received, Scelfo said he did not have any definite plans for a site where students could submit their own photos. “If people are interested, maybe,” Scelfo said. “It was really just a fun thing.”
Scelfo said that actually making the Web site did not take long. “It was a couple hour thing,” he said. Designing the site involved writing a script to see if the photo URLs were valid and coding the rating system.