Students find Flashline Security Loophole at Kent State

By Megan Moore and Shanice Dunning

student journalists Megan Moore and Shanice Dunning recently discovered a computer security issue with Kent State student’s Flashline email accounts.

Flashline provides Kent State students, faculty, and staff with a university email
account as well as other services.

In one day, the journalism students were able to gain access to 10 different email accounts via computers in the newsroom and media lab located in Franklin Hall on campus.

They simply typed www.gmail.com into the browser and up popped student email accounts on 10 different computers.

Kent State’s Flashline email is run through Google’s Gmail.

The students also were able to access a few email accounts on computers in the university library.

Dunning and Moore realized this was a major issue when they found personal documents ranging from bank statements, tax records, a student financial aid offer, a doctor's appointment reminder, Amazon.com purchase and dating site match results in the email accounts they accessed.

Lauren Mazza, a Kent State graduate student, was not aware that Moore and
Dunning were able to gain access to her email account.

“I was under the impression that when I logged out of Flashline, I logged out of my email,” Mazza said. “So, I didn’t think I left it open. I’m usually pretty cautious about logging out of things.”

This issue not only opens the door for someone to snoop through student’s personal emails, but it could become a larger issue if their emails get into the wrong hands.

Moore and Dunning spoke with Brendan Walsh, the manager of Security and Access Management at Kent State, to see if he was aware of this issue.

“No, that’s actually news to me," Walsh said.

The journalism students learned fellow students could run into some problems if they don’t completely log out of their email account.

“Well, email is an important part of your identity,” Walsh said. “That is a way that people will try to steal other people’s identities, is to get into their email account.”

Five days after the interview with Walsh they called to see if any progress had been made on fixing the problem.

“We’re looking into it," Walsh said. "I don’t think it’s as serious as it looks. If there’s a way to fix it I don’t know when it would be.”

A few days after the phone call Walsh followed up with an email.

“I confirmed with the Flashline team about the Gmail integration — this is completely a client-side issue, not something that can be fixed or coded differently in Flashline,” Walsh said. “In order for the behavior not to occur, people do need to completely close out of their browser. Just closing the tab or the window is not enough for Gmail to be registered as logged out.”

We wanted to know what he meant by client-side — whether that meant the user or Gmail.

“Actually, it is a little bit of both,” Walsh said. “Because of the way Google handles log-in sessions in the browser, there is no way to ‘fix’ it, so, instead to prevent the problem, whenever a person logs in on a shared computer, the person needs to be sure to completely close out of the browser when they are done.”

As of Friday there was no reminder for students on the page after they log out that also prompts them to log out of Gmail and shut down the web browser.

Click on this link to watch the students' report.