July 8, 2010, 02:00 PM ET
Flash on College Web Sites May Pose Security Risk for Students
College Web sites using Adobe Flash risk exposing students’ personal data, a new study finds.
Three computer-science lecturers at the University of Worcester—Joanne Kuzma, Colin Price, and Richard Henson—ran a scan on 250 college Web sites, testing for security vulnerabilities. Approximately 20 percent of the sites ran applications containing personal information within a Flash plug-in, which the researchers say may not be as secure as the universities' own systems. Six displayed what the researchers deemed “high-critical problems," containing scripts that could be manipulated by hackers.
According to the report, which is unavailable online, security problems can arise due to professors, departments, and student organizations maintaining separate pages through the main university Web site. Academic departments often have their own individual servers, which are not set up through the school’s IT department and, therefore, may unknowingly pose security risks.
Mustaque Ahamad, a computer-science professor at the Georgia Institute of Technology, said Flash software contains bugs that may leave the machine vulnerable to hackers.
“From what I understand, hackers have exploited Web-security holes to taint and upload Flash files to university Web sites,” he said.
The tainted files allow hackers to track users who visit the sites. Such security holes also allow attackers to access other information stored in databases behind a server.
“Universities need to implement better Web security to ensure that hackers cannot upload tainted content that is hosted by their Web sites,” Mr. Ahamad said. “We are nowhere near achieving perfect security, but the risk can be reduced by being diligent about Web security.”
Adobe could not be reached for comment.