Attack of the ‘eat penis’ person
This semester, my students were creating a website which features a to-do list. Anyone who registers on the site can create their own to-do items which they can retrieve later. Unfortunately, some of the students hadn’t quite implemented authentication properly when their sites went live, and one of their classmates was a vandal with fellatio on their mind.
About 5 groups were affected by this, and each group had around 20 items in their to-do list. It wasn’t a SQL injection attack, the vandal simply manually edited every item to say ‘eat penis’. They weren’t entirely single-minded about it though – on every list, one of the items said ‘eat pussy’ instead.
I took a screenshot and emailed it to each group, then ran some queries on the database to update all the items to something innocuous. Some of them were simply grateful that I’d let them know, while others were mortified about the situation and sent me emails profusely apologising and assuring me that they hadn’t done it. However, almost as soon as I’d updated the databases, they were changed again. Most of them put proper authentication on their site fairly soon, but not before someone else in the class had added their 2c to the situation:
As the sites were public, I had no way to really trace the culprit except to an Orcon IP address. Since they hadn’t actually done anything really wrong, I had no cause for further action, although I did my best to embarrass them in class. I have my suspicions who it was, but I’ll probably never know. I consider it a useful lesson in the importance of security a website.
As well as the checklists, they also filled in a few of the website contact forms (of which most were copied or sent to me as the “company representative”):
Three groups still hadn’t got their authentication sorted by the time of the final presentations – they simply updated the data every time it was vandalised. One group emailed me explaining that they’d been ‘attacked by the eat penis person’ and asking if it would affect their marks for the presentation (it didn’t – only their project mark). Another noticed during the presentation that all their to-do items had been changed to eat penis, but apart from getting very red-faced, ignored it.
This time at least, the person seems to have had slightly more imagination: