ADVERTISEMENT

ADVERTISEMENT

Ashwin Ramaswami reveals how he uncovered Stanford's data breach

He recounted how a routine records request uncovered a flaw that exposed sensitive admissions files.

 Ashwin Ramaswami  Ashwin Ramaswami / X/ @AshwinRamaswami

Indian American technology expert Ashwin Ramaswami on July 13 revealed that he was the anonymous Stanford University student who uncovered a major security flaw in the university's admissions system in 2019.

A Stanford computer science graduate, Ramaswami is currently the co-founder and chief technology officer of cybersecurity startup Corridor. He shared the account in a personal essay on X, more than seven years after the incident.

Also Read: “Don't want Phunsukh Wangdu to die,” Indian American actor Omi Vaidya

The vulnerability, first reported by The Stanford Daily in February 2019, allowed students who had requested their admissions records under the Family Educational Rights and Privacy Act (FERPA) to access other applicants' files by modifying a numerical identifier in a URL. 

The exposed records included Common Applications, transcripts, home addresses, standardized test scores, citizenship status, ethnicity, legacy status, financial aid information, personal essays and, in some cases, Social Security numbers.



According to Ramaswami, the discovery began after he requested his own admissions records in hopes of viewing admissions officers' comments. Although those comments were unavailable, he looked into how Stanford's document viewer loaded files using Chrome's developer tools and discovered that changing a numerical document ID in the URL exposed another student's admissions records.

"I incremented it by one, and another student's Common Application loaded," he wrote.

Realizing the flaw could expose far more records, Ramaswami said he continued incrementing the document IDs to understand the scope of the vulnerability before concluding that he should not have probed further. He later identified the issue as an Insecure Direct Object Reference (IDOR), a common web security vulnerability.

The night he discovered the flaw, Ramaswami said he reported it to The Stanford Daily, where he served as the newspaper's first chief technology officer. 

He said he wanted the vulnerability to be disclosed responsibly so the university could fix it while informing students whose personal information had been exposed. The newspaper worked with legal counsel before publishing its investigation.

Ramaswami said he sought legal advice after learning he could potentially face liability under the federal Computer Fraud and Abuse Act (CFAA). On his lawyer's advice, he immediately stopped accessing the system while Stanford was notified of the vulnerability.

A week later, Ramaswami met with Stanford's chief information security officer after receiving assurances there would be "no repercussions" if he helped explain how the flaw worked. During the meeting, investigators determined the vulnerability originated in NolijWeb, a third-party document management system that Stanford had continued using after the product was discontinued in 2018.

Because he had accessed multiple records while determining the scope of the vulnerability, Ramaswami said Stanford had to notify every student whose admissions file had been viewed. 

The university later said its investigation found that 93 students' records had been improperly accessed, including 81 viewed by the student who discovered the flaw and 12 viewed by others who had been informed of the issue. Stanford apologized to affected students, disabled the admissions portal, secured the system and notified Nolij's parent company, Hyland Software.

Despite assurances of "no repercussions," Ramaswami said he was later required to attend mandatory counseling sessions. He wrote that he disagreed with one university official's comparison of the incident to opening an unlocked filing cabinet because, in his view, there had effectively been "no lock" on the data.

Ramaswami also met with cybersecurity expert Alex Stamos, who warned him that a potential CFAA violation remained serious regardless of his intentions and said he should have stopped immediately after discovering the flaw instead of continuing to assess its scope. Reflecting on the conversation, Ramaswami wrote that he believed the criticism was justified.

On Feb. 15, 2019, The Stanford Daily published its investigation while protecting the student's identity. Ramaswami recalled picking up a copy of the newspaper before heading to TreeHacks, Stanford's annual hackathon, where he was helping manage technical infrastructure for about 1,000 participants.

Following the incident, Stanford expanded its bug bounty program to provide safe-harbor protections for people who responsibly report vulnerabilities discovered outside the program's original scope, a change Ramaswami said would have offered greater assurance when he found the admissions flaw.

Ramaswami said he decided to reveal his identity now because the experience shaped his work in cybersecurity, technology policy and responsible vulnerability disclosure, transforming what began as an accidental discovery into the foundation of his career.

He subsequently went on to study cybersecurity and digital surveillance at Stanford, joined the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in 2020, where he worked on tools to identify vulnerabilities in election infrastructure.

Later led an open-source software security initiative at Schmidt Futures, attended Georgetown University Law Center and eventually co-founded Corridor with cybersecurity researcher Jack Cable, whom he first met during the aftermath of the Stanford incident.

Discover more at New India Abroad.

Comments

Leave A Comment

Required fields are marked (*).

Related

Talk to us?