TV2: Hole in computer security at Kent State

KentWired Video

var so = new SWFObject(‘http://www.staterinteractive.com/player.swf’,’mpl’,’665′,’450′,’9′);

so.addParam(‘allowscriptaccess’,’always’);

so.addParam(‘allowfullscreen’,’true’);

so.addParam(‘flashvars’,’&file=GMAILISSUE.flv&image=http://www.staterinteractive.com/photos/spring11/0131tv2.jpg&frontcolor=6666FF&lightcolor=EEEEEE&skin=http://www.staterinteractive.com/snel.swf&streamer=rtmp://flashmedia.kent.edu/fms-jmc/tv2′);

so.write(‘tv2news’);

When Kent State students log out of their Flashline account, it’s usually safe to say their personal information is safe and secure.

However, TV2 reporters Megan Moore-Closser and Shanice Dunning discovered that isn’t true.

Kent State University’s Flashline email is run through Google’s Gmail.

In one day, they were able to gain access to 10 different email accounts just in the newsroom and media lab located in Franklin Hall.

They simply typed www.gmail.com into the browser and up popped a person’s email account on 10 different computers they checked.

They were also able to access a few email accounts in the library.

Shanice and Megan realized this was a major issue when they found everything from bank statements, tax records, a student financial aid offer, a doctor appointment reminder, Amazon.com purchase and dating site match results.

Lauren Mazza, a Kent State Graduate student, was not aware that Megan and Shanice were able to gain access to her email account.

“I was under the impression that when I logged out of Flashline, I logged out of my email,” Mazza said. “So, I didn’t think I left it open. I’m usually pretty cautious about logging out of things.”

This issue not only opens the door for someone to snoop through your personal emails, but it could become a bigger issue if your emails get into the wrong hands.

They spoke with Brendan Walsh, the Manager of Security and Access Management at Kent State.

They wanted to know if he was aware of this issue.

“No, that’s actually news to me. I’ll investigate it today.”

Students could run into some problems if they don’t completely log out of their email account.

“Well email is an important part of your identity,” Walsh said. “That is a way that people will try to steal other people’s identities, is to get into their email account.”

Five days after the interview with Walsh, they called to see if any progress had been made on fixing the problem.

“We’re looking into it. I don’t think it’s as serious as it looks,” Walsh said. “If there’s a way to fix it, I don’t know when it would be.”

A few days after the phone call Walsh followed up with an email.

“I confirmed with the Flashline team about the Gmail integration—this is completely a client-side issue, not something that can be fixed or coded differently in Flashline,” Walsh said. “In order for the behavior not to occur, people do need to completely close out of their browser. Just closing the tab or the window, is not enough for Gmail to be registered as logged out.”

We wanted to know what he meant by client-side—whether that meant the user or Gmail.

“Actually, it is a little bit of both. Because of the way Google handles log-in sessions in the browser, there is no way to ‘fix’ it. So, instead, to prevent the problem, whenever a person logs in on a shared computer, the person needs to be sure to completely close out of the browser when they are done.”

As of now there is no reminder for students on the page after they log out that, also, prompts them to log out of Gmail and shut down the web browser.

Contact Megan Moore-Closser at [email protected].Contact Shanice Dunning at [email protected].