David

Privacy

September 2023 | Log4J

I found two outdated Minecraft servers on the MIT network that were vulnerable to Log4j (CVE-2021-44228). If abused, an attacker could execute malicious code on the machine.

I reported this to the MIT IST team, who fixed it quickly. They took down the vulnerable servers.

May 2023 | No passwords

While poking around the MIT network, I found a server that was being used as a seedbox. What was surprising was that none of the services, such as Deluge, Sonarr, Radarr, and others, were password protected. This server was involved in piracy.

The lack of password protection was a major concern. This is because Deluge and Sonarr variants allow custom scripts to be run, which could lead to serious security risks. Realizing the severity of the situation, I immediately reported it to IST. They acted swiftly and took the server down.

For both reports, this was the generic response I got back. I guess it’s better than nothing. 🫤

Hello.

Thank you for the responsible disclosure. We will review and contact the site owner if necessary.

For more information on MIT’s Bug Bounty program, including scope, terms, and eligibility is available at: https://bounty.mit.edu.

Regards, Information Security

Massachusetts Institute of Technology
Information Systems & Technology (IS&T)
Information Security
[email protected]
https://ist.mit.edu/secure

© David Stephenson

Creative Commons by-nc-nd 4.0 International License
Acknowledgements