Security Vulnerabilities on MEPhI Olympiad Website Allow Hackers to Win
Vulnerabilities have been discovered on the org.mephi.ru website, which hosts the Rosatom Olympiad. These flaws allow participants to access tasks in advance, modify answers, and gain access to other users’ sessions and data. MEPhI has acknowledged the coding errors, temporarily shut down the site, and is working to identify and patch additional security holes on the portal.
Background of the Incident
This year, due to COVID-19, the physics and mathematics olympiad for high school students is being held online at MEPhI. Success in this competition gives students a chance to enter the university without entrance exams.
Types of Vulnerabilities Found
The vulnerabilities, reported by Izvestia, are classified as SQL Injection (SQLi) and Cross-Site Scripting (XSS). Exploiting these flaws could theoretically allow a hacker to alter olympiad results in their favor.
Experts have confirmed that an attack on org.mephi.ru using a chain of these vulnerabilities is feasible and can be executed in just one second. By changing only three characters in the code, an attacker could access all personal olympiad data and download the tasks.
Causes and Expert Opinions
SQLi and XSS vulnerabilities usually arise from inadequate validation or sanitization of user input. Unfortunately, such mistakes are still widespread in many projects.
“When developing websites and applications, security issues are, unfortunately, always a secondary concern,” says Alexey Drozd, head of the information security department at SearchInform, commenting for Izvestia. “Functionality comes first. Although the principle of ‘secure by design’ is often declared by developers, in practice it is implemented only as an afterthought.”
However, the expert believes there is little risk of these vulnerabilities being exploited on a large scale. MEPhI, he says, is more likely to suffer reputational damage.
MEPhI’s Response
Upon receiving information about the vulnerabilities, MEPhI’s information security team confirmed the presence of errors in the code of their projects.
“We inform you of the prompt response by the university’s specialized departments to the editorial signal that ‘the site is vulnerable to SQL injections and XSS vulnerabilities,’ and of the immediate work to identify potential vulnerabilities on the MEPhI portal,” a university representative wrote in response to Izvestia’s inquiry.
Current Status of the Website
The vulnerable MEPhI website is currently offline. A placeholder page displays the following message: “Dear students! Technical work is underway on org.mephi.ru, and the site is temporarily unavailable. The deadline for the preliminary rounds of the olympiad will be extended if necessary.”