Hickey ’08 squashes ‘Banner’ bug

Tuesday, September 18, 2007

Imagine you have just logged into your Banner account. Moments later, you receive an e-mail that reads “check out this cool video!” followed by an innocent-looking hyperlink. You click the link as your Banner window sits in the background, but the site doesn’t seem to load, so you shrug it off and continue with Banner, registering for that last class you had been shopping.

But little do you know that you’ve just become a victim of theft. Your home address, academic transcript and private financial aid information have been sent to a neighboring room or a different state or country. Your classes have been dropped. And as you stroll out the room with naive confidence, your most precious information sails out, too.

Thanks to Brendan Hickey ’08, you can rest easy. Hickey’s discovery of this potentially detrimental attack and its subsequent patching – just days before registration period began – means students at Brown and the hundreds of other schools using Banner software needn’t worry.

Hickey, a computer security enthusiast, discovered the threat in late August while working on a summer project at Brown. After encountering an error message in Banner, Hickey used his intimate knowledge of Web security to identify a loophole that would allow for a bug called CSRF, or a cross-site request forgery.

“The idea is that a student is using Banner, and you send them a link to another site that can execute actions as if it were the student,” Hickey said. “It could force someone to drop classes, add classes, print out their transcripts.”

Hickey added that if the CSRF made its way onto a professor’s machine, it could potentially be used to alter students’ grades.

“I’m not familiar with the professors’ user interface, but it’s certainly possible,” he said.

Upon discovering the potential for a CSRF, Hickey went to the Computing and Information Services Help Desk and showed employees there what he had found.

“They asked me to make a test case,” Hickey said, referring to a trial attack that would demonstrate the power of the attack without harming anyone. “I put one together in 15 minutes.”

Within a matter of days, news of Hickey’s “Banner bug” had reached University officials and even a senior vice president of SunGard Higher Education, the company that develops Banner.

“They asked me all sorts of questions about it, and then asked me for suggestions on what to do next,” Hickey said. “I gave them.”

Vice President for Computing and Information Services Michael Pickett, Brown’s chief information officer, said Hickey’s work is greatly appreciated by University officials and the developers of Banner.

“Brendan made a nice contribution to the strength of the software,” Pickett said. “The SunGard folks are real pleased.”

The problem was patched up the weekend before registration, Pickett said, and was responsible for some of the downtime in Mocha, the student-run online course catalog.

Pickett said Hickey made the right choice in bringing the security flaw to the attention of CIS officials and was not in violation of any of Brown’s codes of conduct.

“It was not hacking. He violated no rules,” Pickett said. “In fact, I have a dinner meeting to congratulate him.”

Shriram Krishnamurthi, associate professor of computer science and Hickey’s adviser, said he was proud of Hickey’s creative thinking and professional attitude in the discovery of the Banner bug.

“He was a total 110 percent pro about the whole thing,” Krishnamurthi said. “He could have done nasty or foolish things, but instead he did responsible things.”

Krishnamurthi explained how Hickey’s interests matched the situation perfectly – Hickey was one of only a handful of people at Brown even capable of discovering the flaw.

“He’s studying exactly the security of these sorts of things, so he’s in a position to look at these things and understand them immediately,” Krishnamurthi said. “There are people who take this world as it is, and there are people who probe every system they encounter. Brendan is most assuredly the latter category.”

Krishnamurthi also emphasized the severity of the problem Hickey discovered. While obtaining an address or phone number might not seem particularly threatening, a little information can go a long way and have severe consequences, such as identity theft.

And it doesn’t stop there, Krishnamurthi said.

“If someone attacked my machine, they could change the grades of my students,” he said. “And this could affect anybody. In principle, the registrar could get hit with this attack, and presumably he has some interesting powers.”

Krishnamurthi and Pickett said the turn of events should bode well for Hickey, who plans to apply to graduate school.

“I wouldn’t mind writing him a recommendation based on his work,” Pickett said.

In the meantime, Hickey has already reaped the benefits of the affair. A self-described “security nut,” he couldn’t get the details of the Banner bug out of his head, and it visited him in the middle of the night.

“The problems I discovered in Banner are related to some of the problems I’ve been working on all summer,” Hickey said. “I was sitting in bed at 2:00 a.m. and discovered a solution to the problem I’d been working on all summer.”

Hickey e-mailed Krishnamurthi at 2:53 a.m. on Aug. 25 with the idea for his senior thesis.

“I guess fortune favors the prepared mind,” Hickey said.

To stay up-to-date, subscribe to our daily newsletter.

Comments are closed.

Comments are closed. If you have corrections to submit, you can email The Herald at