A new Olympic season has begun in Russia. Many competitions have been moved online due to the COVID-19 pandemic. The first level Olympiad allows the winner to enter the university without exams.
It turns out that the hacker could theoretically ensure admission to the best universities in the country, putting graduates in unequal conditions.
SQL injections and XSS vulnerabilities were discovered on the site, which make it is possible to influence the results of the competition. As a result, according to the hacker, it is easily possible: 1) find out the tasks in advance and change the answer data during the Olympiad; 2) see the sessions and data of other users; and 3) massively upload user information, including personal information (information from the passport, registration, phone, e-mail).
“SQL injection is one of the easiest ways to hack a site. Indeed, in a very short period of time and by replacing several characters, an attacker can gain access to all personal data of the Olympiad and to all tasks,” said Oleg Bakhtadze-Karnaukhov, an independent researcher on the Darknet.
According to the researcher, most likely, there was not enough time to detect such errors during the programming of this site, although it takes little time to find and fix them.
“If the site contains vulnerabilities, then a command in a specific programming language can be inserted, for example, in a link, and the page will display information that was not intended for users initially,” explained Dmitry Galov, Cybersecurity Expert at Kaspersky Lab.
According to Alexei Drozd, head of the information security department at SearchInform, the reason may be design errors, as a result of which the site, for example, poorly checks or does not check incoming information at all.
“Unfortunately, when developing websites and applications, security issues are always in the background. First, there is a question of functionality,” concluded Alexey Drozd.