Students find Flashline Security Loophole at Kent State

Tax information, bank records and other personal data in email of students accessible by anyone

By Megan Moore and Shanice Dunning

student journalists Megan Moore and Shanice Dunning recently discovered a computer security issue with Kent State student’s Flashline email accounts.

Flashline provides Kent State students, faculty, and staff with a university email
account as well as other services.

In one day, the journalism students were able to gain access to 10 different email accounts via computers in the newsroom and media lab located in Franklin Hall on campus.

They simply typed www.gmail.com into the browser and up popped student email accounts on 10 different computers.

Kent State’s Flashline email is run through Google’s Gmail.

The students also were able to access a few email accounts on computers in the university library.

Dunning and Moore realized this was a major issue when they found personal documents ranging from bank statements, tax records, a student financial aid offer, a doctor's appointment reminder, Amazon.com purchase and dating site match results in the email accounts they accessed.

Lauren Mazza, a Kent State graduate student, was not aware that Moore and
Dunning were able to gain access to her email account.

“I was under the impression that when I logged out of Flashline, I logged out of my email,” Mazza said. “So, I didn’t think I left it open. I’m usually pretty cautious about logging out of things.”

This issue not only opens the door for someone to snoop through student’s personal emails, but it could become a larger issue if their emails get into the wrong hands.

Moore and Dunning spoke with Brendan Walsh, the manager of Security and Access Management at Kent State, to see if he was aware of this issue.

“No, that’s actually news to me," Walsh said.

The journalism students learned fellow students could run into some problems if they don’t completely log out of their email account.

“Well, email is an important part of your identity,” Walsh said. “That is a way that people will try to steal other people’s identities, is to get into their email account.”

Five days after the interview with Walsh they called to see if any progress had been made on fixing the problem.

“We’re looking into it," Walsh said. "I don’t think it’s as serious as it looks. If there’s a way to fix it I don’t know when it would be.”

A few days after the phone call Walsh followed up with an email.

“I confirmed with the Flashline team about the Gmail integration — this is completely a client-side issue, not something that can be fixed or coded differently in Flashline,” Walsh said. “In order for the behavior not to occur, people do need to completely close out of their browser. Just closing the tab or the window is not enough for Gmail to be registered as logged out.”

We wanted to know what he meant by client-side — whether that meant the user or Gmail.

“Actually, it is a little bit of both,” Walsh said. “Because of the way Google handles log-in sessions in the browser, there is no way to ‘fix’ it, so, instead to prevent the problem, whenever a person logs in on a shared computer, the person needs to be sure to completely close out of the browser when they are done.”

As of Friday there was no reminder for students on the page after they log out that also prompts them to log out of Gmail and shut down the web browser.

Click on this link to watch the students' report.

Megan Moore-Closser May 02, 2012 at 03:23 PM
TheVoiceOfReason, I am glad you know that this can happen. But I did not do the story for you, I did it for the students who don't know about this. Which is clear in the video with the 10 we were able to access just in one day. I contacted those people and many were not aware of this problem and were shocked we could access their email because they thought once they logged out of Flashline their email account was completely closed. This was in no way "fear mongering" to get views. We realized it was an issue from how many email accounts, that students thought were closed because they signed out of Flashline, were still open when we typed in www.gmail.com. Before the university switched the email service to Gmail this wasn't an issue in Flashline. Once you logged out you were completely logged out whether you closed the browser or not. Many students we spoke with were not aware that just clicking the red x on a Mac was not enough to close the browser. My purpose was to educate those who may not be as computer savvy as you or are aware that this could happen. Sometimes students are in a rush to go to class and just stop to quickly check their email and don't completely close their browser or just don't think twice about closing the browser. I felt that from what we found in the emails that was enough to run the story. Students need to at least be aware that their personal information can be accessed if they don't take the simple step of completely closing the browser.
Racer6854 May 02, 2012 at 09:22 PM
You have a very interesting way of "educating" people. The report was 10 minutes of "ROAR KENT STATE COMPUTERS ARE BAD YOU SHOULD NOT USE THEM!" and then 10 seconds of "but if you actually close your web browser correctly, you won't have any problems." Maybe you should see if Fox News is hiring.
Mancomb Seepgood May 03, 2012 at 02:46 AM
LOL JOURNALISM MAJORS AMIRITE GUYS? But seriously, spreading this kind of FUD around just makes you look bad. This is not a "Flashline Security Hole". This is people being the weakest link in a security chain. Fact: most identity theft occurs through social engineering and not ZOMGCOMPUTERHAXXING, as so many badly written 90s movies will have you believe.
Mancomb Seepgood May 03, 2012 at 02:56 AM
You DO realize that the computer systems are independently managed by different people at the different schools, don't you? This has nothing to do with Walsh, Flashline, or even Google.
Charles Osuru May 18, 2012 at 09:07 AM
I feel good


More »
Got a question? Something on your mind? Talk to your community, directly.
Note Article
Just a short thought to get the word out quickly about anything in your neighborhood.
Share something with your neighbors.What's on your mind?What's on your mind?Make an announcement, speak your mind, or sell somethingPost something
See more »