Bugs

This is a list of bugs my students have found in real software [our disclosure policy]. Recent flaws are at the top of the list. The following are not necessarily security vulnerabilities, but rather code flaws or errors. Some have security implications; in others, the security implications may be tempered by configuration or access or the need for a sufficiently powerful attacker. These are not meant to be earth-shattering disclosures, but rather evidence that: In almost all cases, students found these bugs with only gentle encouragement and little technical assistance from me.

As of 2 December 2011, we have found 12 bugs (some of the documents below report on multiple flaws).


  1. QuickDraw BufferedReader bug (Yang Li / M. Locasto)
  2. UofC SquirrelMail Cookie encoding / username bug (Yang Li) [broken code demo]
  3. UofC SquirrelMail cookie data persists across distinct user sessions (Yang Li / M. Locasto) [sample cookie]
  4. Twitter app auth flaw (R. Gonzalez)
  5. GHC bug (J. Gallagher)
  6. Megavideo bug (J. Gallagher)
  7. ATutor flaws (P. Jungles)
  8. Cad-Kas PDFreader (P. Jungles)
  9. PHFTP XSS (S. Cartwright)
  10. TEMS XSS (S. Cartwright)
  11. Kimai (2 bugs, C. Jarabek)