Nineteen teams of ethical hackers tried to break into IT systems of higher educational institutions last Wednesday. During the reenacted hack, organised by the educational institution to make their IT systems and websites more resilient against cybercrime, the hackers found the most vulnerabilities at the UvA.
Applause and cheers erupted at the USC’s De Oerknal sports café at Science Park when it was announced that UvA websites were hacked the most during the Hack al het Onderwijs in Nederland (Halon) event. However, Roeland Reijers, Chief Information Security Officer of both the UvA and the Amsterdam University of Applied Sciences (HvA), jokingly ducked his head upon hearing the news. Yet he had no reason for major concern: “Look, the UvA is hosting this year’s event, so that means we’re somewhat inviting it upon ourselves. Additionally, the UvA provided the largest list of websites for the hackers to work on, so it doesn’t surprise me that we had the most vulnerabilities found.”
Cracking Codes
In the USC gym, nineteen teams of so-called ethical hackers spent six hours identifying weaknesses on websites from ten participating Dutch higher education institutions. Among power strips, cans of cola, and cups of coffee, the hackers worked intently on cracking codes on their laptops. At exactly four o’clock, time was up, and a jury evaluated the hacks based on feasibility, creativity, and degree of vulnerability.
The hack event has been organised since 2021 by SURF, the IT cooperative for Dutch educational and research institutions. This third edition was hosted in partnership with the UvA, with various student teams also taking part. “It’s important to provide a platform where students can learn hacking, while we learn from it as well,” said Reijers. The educational institutions aim to gain insights into the vulnerability of their IT infrastructure and websites. “Nothing is foolproof,” he added.
UvA Hacked
This isn’t the first time the UvA has allowed itself to be hacked. Since 2022, the UvA has participated in Halon. During the event, the university consciously invites ethical hackers to test the security of its websites by attempting to infiltrate digital information systems. But in 2021, the UvA was actually hacked by criminals, the so-called “crackers.” “Back then, criminals accessed our network systems through a student’s login credentials,” Reijers explained. “They subsequently infected our systems with various harmful programs. A few years earlier, Maastricht University experienced a similar attack: the whole network was encrypted and held hostage, and the university lost access to it. That could have happened to us too. Fortunately, we managed to stop that attack just in time.”
Later in 2021, UvA Q – the system used for course evaluations – was also targeted by hackers. “That incident was resolved without major issues,” said Reijers. “Since then, we’ve improved the security of our systems, including with two-step verification. Through Halon, we invite teams of ethical hackers to infiltrate our websites in a similar manner, albeit under supervision. This way, we identify where UvA’s digital doors are unnecessarily ajar – something we might otherwise never have discovered.”
The article continues below the image.
OS3 on Top
Among the nineteen hacker teams were two UvA teams composed of students from the master’s programme in Security and Network Engineering. They managed to identify two vulnerabilities in the UvA system and one at the Amsterdam University of Applied Sciences (HvA). For example, they discovered an outdated web page containing the first and last names of students who studied there between 2006 and 2024.
“These personal details were on a web URL that wouldn’t appear in a standard Google search, but could be accessed with minimal programming knowledge,” explained master’s student Jeroen van Diepen (21), who found the error. “Additionally, we managed to infiltrate the HvA internship database,” Van Diepen continued. “To prove we succeeded, we programmed a pop-up message on the website: ‘OS3 on top,’ our team name. It’s completely harmless, but a malicious actor could misuse it by placing something highly inappropriate or redirecting you to a phishing website to steal your login details, bank information, or other sensitive data.”
WordPress
Finally, the students managed to access a WordPress website used by a research group from the UvA’s Faculty of Science. WordPress is a popular system that allows users to build and manage a website without technical expertise. “Due to insufficient protection, we could access the usernames of the researchers and could even post a blog entry on their website,” said Van Diepen. “This is actually a very common mistake, as WordPress itself doesn’t protect users well against it, though you can prevent it with a bit of research.”
29 Vulnerabilities
Ultimately, a total of 29 vulnerabilities were found across the entire UvA network. According to Reijers, this is not immediate cause for alarm: “Most of the vulnerabilities found are minor programming oversights that wouldn’t necessarily lead to a major breach in our systems. We encounter this type of error almost daily. And let me be clear, these issues need to be addressed. We stay on top of it. That’s essential: cybercrime has become part of everyday life. Recently, there was a large hack at the national police. Events like these help us stay even more vigilant.”