Bug in MyMIT System Allowed Sharing of Users’ InformationBy Jeffrey Chang
MIT Admissions e-mailed about 9,500 registered users of the MyMIT admissions Web site last week to confirm that their applications were correct after discovering and correcting a problem where users could potentially access other students’ applications.
MIT Admissions realized in late October that under some circumstances, a user of the site could find himself or herself with the same session ID as someone else, Dean for Undergraduate Education Robert P. Redwine said. In those circumstances, a user could see the information from someone else’s registration or application.
MIT was alerted to this problem by a student using the portal. “As soon as we heard, we took the portal down,” Redwine said, causing the inaccessibility of the MyMIT site around Nov. 1 and the subsequent extension of the Early Action application deadline. It took a couple days, but the difficulty, a hardware configuration problem, was straightforward to fix.
“We then had to spend a few weeks trying to understand the extent of possible access to information,” Redwine said. Of the total number of people who had used the portal, about 20 percent potentially could have been affected. Out of that group, only a quarter, or about 2,400, were students who had already submitted their applications.
Applicants alerted via e-mail
“We have recently corrected a hardware configuration problem that may have allowed other registrants access to your account and the information in it,” the e-mail sent to applicants stated. “MIT wants to be 100% confident that all information collected by the MyMIT platform is intact and correct.”
The e-mail asked all users to log into their account and make sure their information was correct. The e-mail also noted that credit card information was not stored on MyMIT’s servers and could not have been accessed by others.
“I just got an e-mail telling me to double-check everything in my application... I had to fill out a very brief form online on whether my stuff was okay or not,” said applicant Katie J. Rahlin. “Nothing happened to my application,” Rahlin said, “but I was kind of surprised, considering it’s MIT.”
“The portal was set up in early September,” said Redwine. “As I understand it, a number of steps in optimization and testing of the portal occurred prior to it going live. In the process of doing that, a configuration was set up in one hardware device to try to increase the speed of the system” in handling traffic. It was this configuration that allowed the duplicate session IDs to occur, he said.
No major damage reported
MIT examined a few logs from users’ sessions in which another student’s information had been visible. The system would “pop up someone else’s session,” Redwine said, but in the logs that were checked, “everyone we saw just closed it.”
As of Monday afternoon, MIT had heard back from about 1,800 of the 2,400 students who had submitted applications and potentially could have been affected. Letters were mailed to the remaining 600 on Monday to try to confirm all their information. “We want to be sure everything’s okay before making [admissions] decisions,” Redwine said.
“In almost all cases, [the students] have said their information looks fine. In a few percentage of the cases, they said they’d like to correct some minor things,” which were probably there in the first place, Redwine said. “In no case have we heard from anyone that there’s a real problem.”
“Currently it looks as though there probably was no damage done but we’re sorry it happened,” Redwine said. “We tried to do the responsible and fair thing. In the end it will work out okay, and we’re very happy that we haven’t had reports that people are upset.”