Is it a security vulnerability if the addresses of university students are exposed?

I am sorry for my lack of knowledge in this matter.

You shouldn't be.

Is it universally approved practice for universities to expose the name and addresses of students?

As pointed out in comments, it depends on your local laws and regulations. You should certainly check it once. But the way you describe the application(changing the URL to get the details, including the result), it sounds like a bug, which should certainly be reported.

Is it universally approved practice for universities that strong security related to name and address is not important?

No, be it a university or a big MNC or a small enterprise, or your own personal account, security is ALWAYS important.

Is it a severe attack and do I have to report it to them? Or it can be simply ignored?

Yes, you have to report it to the university, as soon as possible. It should not be ignored.

EDIT: As pointed out in comments, there are some universities which do allow students' addresses to be made public.


This is a vulnerability, the way they have used sequenced guessable numbers to access records is a class of vulnerability called Insecure Direct Object Reference and is featured in the OWASP Top 10 (https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References)

Depending on where in the world you live, the university may be contravening data protection laws. At the very least it is poor data control and violates your personal privacy, you should certainly tell them about this.


Since the university is in the UK, this is almost certainly a breach of the DPA 1998. That is, this is not narrowly a ‘security’ issue.

A student home address would certainly count as ‘personal data’ within the terms of the Act. The fact that you can retrieve the data in this way is, I'm very sure, a violation of principle 7, and probably 6 and 8 as well). The principles are that personal data must be

  1. fairly and lawfully processed;
  2. processed for limited purposes;
  3. adequate, relevant and not excessive;
  4. accurate;
  5. not kept for longer than is necessary;
  6. processed in line with users’ rights;
  7. secure; and
  8. not transferred outwith the EEA.

The fact that you had to very mildly hack this to get the information doesn't change things: it means that it isn't secure. Principle 7, in full, is ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

A final degree classification would count as public data, in the sense that part of your contract with the university is that they would tell people that you've graduated. Internal/intermediate marks would probably not count as public data (and that ‘probably’ means that there would have to be a positive argument that they did count as public, before it was OK to make them available like this).

The university should have a DPA office/officer who will go ballistic when you report this to them (and I think you should), and should be able to get very senior pressure applied to change it. They might not seem to make much of a fuss in response to your report, but I hope they would take immediate action internally. If they don't fix it promptly (or perhaps even if you don't see immediate evidence that they have done so), then a report to the ICO, as suggested by @daiscog's comment, would be proper.

Regarding the question of reporting this anonymously, you could if you want, but I would hope it wouldn't matter, and that the DP Office would be appropriately discreet (this is very much their problem, not yours). If there were any comeback, I'm sure the ICO would be extremely interested to hear about that.

I'm in effect the DP officer in our (UK) university department, and I know how I or the university DP office would respond to hearing about this.

(I originally posted this as a comment, but on reflection expanded it into an answer)