As an external expert, I take part in internship and bachelor thesis reviews and defenses. Typically six to eight per year. This makes 12 to 16 theses to read and defenses to attend (including intermediate reviews). Voluntary work I genuinely like to do. It feels like I can give back to a university, lecturers and a study program that has opened many doors for me. The theses also give glimpses into the industry and company internals.
This week I encountered a new situation.
While reviewing a bachelor thesis, I noticed that a screenshot showed an API key within a cURL statement. The API key did not look like a placeholder – neither in format nor in the character sequence. The API key looked like an actual UUID! UUIDs are typically used as API keys, and I got curious. Could this be the actual API key used by the student to access a system?
The system in question is a SaaS platform to keep track of marketing and sales information. I somewhat know the system because the system is also used by my current employer. Marketing and sales data typically equates to quite critical data for a company. We are talking deals, business contacts, forecasts and much more.
I should interject here: It is essential to understand that the student wrote the bachelor thesis as part of an internship project at a European company. So if that API key is a valid one, then this might be a credential leak for the company! This is especially problematic because the thesis was not marked as confidential. In turn, this means that the thesis should be considered publicly available through the university. Not a situation any company wants to face. Also, not something a student wants to hear as part of their thesis defense.
So judging the criticality and wanting to know whether this is an issue, I typed of the cURL statement into my terminal and executed it! Low and behold, it worked! The SaaS platform responded with the first 100 business contacts of the company (paginated API)! After trying out a few more APIs and cross-referencing the API responses, I was highly confident that the API key is, unfortunately, granting access to a production system filled with all kinds of sensitive data.
Considering that this was a first for me, I was curious how this should be handled. Some of the things I was wondering about are:
- Are there processes in place at the university to handle situations like these?
- As an external expert reviewing a thesis, do I have an obligation to immediately report this to the company?
- Will we violate the company's trust by not telling them about this as early as possible?
- Should we tell the student's company supervisor about this in advance to not be surprised to hear about this during the thesis defense for the first time?
- How will me communicating this affect the student's final grade or whether they pass/fail?
I opted for a quick email to the university to explain the situation and ask for their opinion. The university decided not to inform the company in advance and instead bring up the topic at the end of the defense. In light of the short amount of time (<24h) between me identifying this credential leak and the thesis defense, this seems acceptable. However, I am not sure I could have accepted to keep the company in the dark for more than a day.
Fault, Blame and Grading
Grading is a topic that has to naturally come up as part of a thesis defense. So, how do you grade a bachelor thesis that starts off with a credential leak? Do you immediately let the student fail? Would you deduct points somewhere to account for this? This seems quite related to issues one faces with new hires or junior employees at a company. If an employee can create such an honest mistake, is it just the employee's fault or the system's fault that allowed this mistake to happen? Shouldn't there be mechanisms in place that keep us from making honest and stupid mistakes? Going back to the student, was it wise for the company to give the student full access to their marketing and sales data? Should the company have reviewed the student's thesis to ensure that it doesn't contain sensitive information? Should the university have paid attention to this?
From my experience, everyone makes mistakes. Honest, stupid and embarrassing mistakes. Human error is real, and we need to establish systems to protect each of us. If not, what culture are we creating, and what example do we set for the next generations?
Of course, the student immediately realized that they fucked up as we pointed out the credential leak. They were feeling bad enough (visibly), and they learned something that day. Blaming them wouldn't have done any good. Not for them and not for us.