Within days of its launch, hundreds of Stanford students signed up for Link, a website meant to connect users and their crushes. But in addition to violating University policy, the site was vulnerable to SQL injection, a kind of cyber attack, which may have compromised the data of many of them.
An anonymous individual emailed The Daily on Tuesday with what they claimed was user data from the site, attaching a spreadsheet that contained what appeared to be the names, email addresses and crushes submitted of around 100 users.
The individual also provided screenshots and a screen-recorded video depicting the alleged hack. The Daily confirmed the accuracy of a small sample of the data in the spreadsheet and video.
The site’s creator, Ishan Gandhi ’23, confirmed the existence of the vulnerability and said that as many as around 1,000 users’ data could have been accessible at a given point in time. Asked if he thought that the alleged hacker had accessed user data, Gandhi said, “that’s what it seems like, yes” but that “there’s been no confirmation.”
After being shown heavily redacted data, Gandhi began to walk back his previous statement. He wrote in an email after the interview that he was “genuinely skeptical” that the hacker had accessed the data because of “irregularities” in its format.
The Daily withheld reporting on the issue until Gandhi could secure the site. Gandhi says users’ data is now secure and the site has since been taken offline.
Concerns about Link follow scrutiny of startups like Cardinal Crush and Queer Chart that were created with the intent of connecting students but were beset by privacy concerns.
Privacy concerns
Gandhi, who also acts as a liaison between The Daily and the radio station KZSU, told The Daily earlier this month that Link was entirely private and secure. Link also wrote on Instagram in a now-deleted post that “no human can look at any of your data, including members of the Link team.” Gandhi told The Daily the post was deleted as part of Link’s compliance with Stanford’s trademark policy.
Now, he says, Link has hired a data protection officer — an undergraduate studying economics at Yale — to ensure “nothing like this ever happens again.”
Security researcher Jack Cable ’22, who has been recognized by Google, Facebook and the Department of Defense for discovering security vulnerabilities, told The Daily the vulnerability would likely have allowed hackers to access and modify users’ information. Cable wrote that one could not determine with full certainty that user data could have been accessed without exploiting the vulnerability themselves.
SQL injection attacks –– a somewhat common form of cyber threat first exploited over 20 years ago — involve submitting malicious code through a webpage form to alter or extract information stored in a database. A site may be vulnerable to SQL injection if it includes a form that neglects to check users’ inputs to see if they are malicious.
The individual who contacted The Daily alleging that they had hacked Link said that the data “will not be released to the public” and that they erased it from their systems after gathering the “information they needed to report the issue.” In emails, they offered Gandhi advice on how to fix the vulnerability.
“I wanted to make sure that the site would get patched, so that others could not find the same issues I did and do something malicious with the information,” the individual wrote to The Daily.
The individual also attached a screen-recorded video depicting a command line program called sqlmap running and allegedly extracting user data from the site.
Gandhi wrote Tuesday night that he took the website offline shortly after he was alerted of the alleged breach “in order to rule out any future injection attacks,” adding that he was “confident” none of Link’s users’ data would be released. The page of the website that had been affected by the vulnerability appeared to remain accessible until Thursday morning, although it was unclear if the vulnerability still existed.
Encryption
Link wrote on Instagram that no one, not even members of Link’s team, could look at any of users’ data, with a bullet point saying “database encryption is industry-standard (Microsoft’s ‘SEAL’).”
But Gandhi told The Daily it was “technically feasible” for him — but only him — to access data in the “active” database, although such an action would have been against Link’s internal policies. According to Gandhi, those policies were written by himself and codified with his significant other.
He also said that Microsoft SEAL encryption was not actually in use on Link’s site, saying it was included as a comparison of Link’s encryption to industry-standard methods.
Gandhi said he can “categorically confirm that our databases are encrypted.” He said, however, that user data is split “across multiple databases” and that if a database is currently receiving new submissions from the website it may not have been encrypted.
“Encryption occurs once each database has hit an input limit,” Gandhi wrote, which lies around 1,000 entries, according to him. “If the database targeted was our ‘active’ database, … then it’s possible they were able to access unencrypted data.”
A page on Link’s website with their privacy policy stated that “no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure” and that Link “cannot promise or guarantee that hackers, cybercriminals or other unauthorized third parties will not be able to defeat our security.”
Gandhi told The Daily that he believed Link had not violated their privacy policy.
Email usage
Link sent emails to students that appeared to come from “[email protected].” University spokesperson E.J. Miranda wrote in a statement to The Daily that it is a violation of University policy for anyone other than University officials to use the address. Miranda also wrote that the University was reviewing the incident and that infractions by students of University policies like the Computer and Network Usage Policy and the Fundamental Stanford are referred to Student Affairs for review.
“It was spoofing,” Miranda wrote to The Daily in a statement about the use of the address. Spoofing involves the changing of email metadata to make a message appear to be from an address that the sender doesn’t actually own.
Asked about spoofing, Gandhi replied, “I’m not quite sure what you’re referring to” and later told The Daily that “[email protected] is ours –– I’m not 100% on whether I’m happy to disclose how I got it.”
Miranda also wrote that “it is important not to send unsolicited bulk email to Stanford community members.” Link gave users the option to enter the email address of their listed “crushes.” If a user did, Link would send that person an email that told them “someone” was interested in them without specifying who.
Gandhi said that after “productive talks” with the University administration, Link removed this feature so that emails “can only be sent to people who have already signed up” for the site.
Gandhi also said that Stanford reached out to him regarding his usage of Stanford’s name on his site and on social media. University policy prohibits use of University “marks” like the Stanford name “in connection with an actual or implied endorsement of non-Stanford entities or their products, services or activities.”
Link changed the name of their Instagram account from “stanford.link” to “link_technologies” in response to the University’s trademark policies and told The Daily that they will no longer use the “stanfordlink.com” URL when they relaunch their site.
“We’re fully in compliance with every aspect of Stanford’s trademark policy,” Gandhi said on Thursday, adding that he was told that “no action would be taken as long as we were compliant by Aug. 15.”
Link’s future
Gandhi says Link plans to relaunch their site in the next few days with the issues of user privacy and trademark infringement resolved.
He told The Daily that the company’s newly appointed data protection officer is in the process of drafting a statement announcing the vulnerability to users. Gandhi also said the consultancy Ametros Group would be contracted to help improve the site’s security in the future.
Link will release a new privacy policy when their site comes back online, and all current user data will be “retired” as the company builds new databases, according to Gandhi. He told The Daily the new site will include a feature that will give users more control over their personal information.
Gandhi told The Daily he believes Link will be able to regain users’ trust.
“Ultimately, we’re a young company,” he said. “And there’s a lot of learning to be done, clearly. We view this as something to be glad for in that we could at least resolve these issues now” rather than when Link’s user base is “expanded.”
But some students have been skeptical of Link from the beginning.
“It could create a big hot mess,” Phillip Tran ’23 said earlier this month. “I think Stanford Link should be more transparent about … how they’re running their algorithm, how they’re trapping, and how they’re storing information.”