A hacker and a vigilante hacked and defaced the now defuncted Utah Valley University (UVU) website learningstyles.uvu.edu in 2019 and 2020.

The Learningstyles website hosted content of the Journal of Learning Styles which focused on the “scientific nature of the field of education.” Founded in 2008, it published research on the now debunked concept of different learning styles. The journal’s editorial board consisted of:

  • Sra. Silvia Carrascal Dominguez, Universidad Camilo José Cela Universidad Complutense de Madrid, Spain
  • Dr. Baldomero Lago Marín, Utah Valley University, United States
  • Dr. Wilmer Ismael Angel Benavides, Servicio Nacional de Aprendizaje SENA, Colombia

UVU appears to have sponsored the journal as indicated by the use of the Logo, theme, and domain name.

UVU Hacked Website

In December 2019, I discovered hidden content on one of the website’s web pages. The content made references to a variety of topics from “Air sports” to “Weightlifting.” It also included questionable references such as pharmaceuticals and get rich quick schemes. The content included links to other websites that included pornography, Youtube, Russian websites, and websites designed to get someone to spend money on questionable products.

Often hackers will use this technique to perform black hat search engine optimization—a series of techniques to manipulate search engine rankings. By placing common terms on a website and linking to hacker-controlled websites that sell products, search engines will rank these other websites higher in their search results. The outcomes causes unsuspecting people to trust that if the websites could appear high enough in their search results, they are likely to trust and visit those websites. The hacker’s end goal is to financial gain.

Fortunately in this instance the hack is relatively minor. It is unlikely the website contained sensitive data, and the attacker’s efforts seemed focused on the one particular goal.

Subsequent visits to the Learning Styles website showed active exploitation. At one point the page could no longer display properly in a web browser and instead showed a plaintext version of all both legitimate and illegitimate content. Another occasion the website displayed a pop-up that stated, “This_site_is_vulnerable_to_stored_XSS” to the visitor. This indicated a vigilante attempted to warn the website administrator of the website’s serious security vulnerability.

I did not identify or attempt to exploit the specific vulnerability that allowed unauthorized content to display on the website.

UVU Response Indicative of Higher Education Cybersecurity Struggle

I reported the hacked website to the cybersecurity team at UVU on December 30, 2019 who responded on January 3, 2020. By February 3, the hacked content on the website had not been taken down. I followed up and received a response indicating it was taking time to address the issue because the website was not hosted by central IT. By February 10 the website was offline.

Unfortunately, insecure systems and slow response times are quite common among higher education institutions due to their decentralized structure and pervasive shadow IT. In response to their own recent cybersecurity incident, the University of Utah stated it “has vulnerabilities because of its decentralized nature and complex computing needs.”

This is the second recent cybersecurity incident I reported to Utah Valley University. Earlier in 2020 I found a site with 17-year-old SQL injection vulnerabilities.

I discovered this cybersecurity issue and responsibly disclosed it as part of the UtahCyberCheck project, where in my spare time I focus on finding and reporting cybersecurity issues of Utah government, education, and nonprofit organizations. For more information about the project, you can read the announcement blog post.