Startup vulnerability leaves queer student data exposed

Nov. 19, 2019, 3:37 a.m.

A security flaw allowed users of Queer Chart, a startup founded by Stanford students to link members of the campus queer community, to access all users’ names, profile pictures, email addresses, dates of birth, pronouns, schools and anonymous IDs, its founders have acknowledged. An anonymous ID is meant to allow a user to post on Queer Chart under an alias. 

The product launched in early October and was taken offline last week, with a notice posted on its site stating, “Queer Chart is offline a little for some maintenance! Expect an email soon when we are back :).”

On Tuesday, the Queer Chart team replaced the maintenance notice with a timer counting down to a “Beta 3.0” launch on Dec. 1. The page now also includes a list of steps they say they have taken and will take to minimize security risks. 

Campus newsletter the Fountain Hopper (FoHo) first reported the vulnerability in a Friday special report. While the startup’s founders, Maddie Wang ’21, Sunwoo Lee ’20, Miriam Haart ’22 and Angela He ’21, have acknowledged the vulnerability, they disputed aspects of the FoHo’s report, including that they repeatedly failed “to secure the privacy of the app’s user base.” 

The founders said they secured “private data” within five hours of learning of its existence, removing data not accessible through the user interface including dates of birth, email addresses and anonymous IDs. FoHo editor-in-chief Ross Ewald ’20 did not respond to The Daily’s requests for comment.

The breach

The vulnerability involved an Application Programming Interface (API) function called “getEveryone,” which allowed any Queer Chart user to retrieve information associated with every user. The FoHo also reported that the product’s code contained personal information about a Stanford student not on the Queer Chart team. 

The founders said their team worked to address the data leak after FoHo reporters met with them about it.

But a subhead of the FoHo report asserted that Queer Chart “ACCIDENTALLY LEAVES DATA EXPOSED” in trying take the system down for maintenance. 

“A FoHo reporter confirmed that the ‘getEveryone’ API was still accessible to authenticated users even after the main service was down,” the report stated. 

In an interview with The Daily, Lee said that the vulnerability was fixed within five hours of this meeting. While the “getEveryone” endpoint remained accessible to users, Wang said, it only returned information already accessible to users through the site’s interface, including name, school and picture.

It is unclear who or how many individuals exploited the vulnerability. The founders were not able to determine this, Wang said, but said they are working on a way to more precisely track API requests moving forward. 

Early Thursday morning, Lee sent an email to Queer Chart users notifying them that their data had been accessible to other users of the platform. 

“As members of the queer community ourselves, we understand how important privacy is to our users,” Lee wrote.

After the FoHo’s Friday report, Wang reiterated the founders’ apologies in a second email promising that the product would be more secure when it went live again. 

“We are fixing our platform to eliminate all access points to user data,” Wang wrote. “Until we are fully certain that Queer Chart is secure, the website will be under maintenance.”

Wang told The Daily that they are working with white hat hackers to “play hack” their system with fake user data in order to identify its security flaws. The timeline for re-launching the site, she said, depends on security experts’ examination of it. 

The Tuesday addition to their site said that they consulted computer science lecturer Jerry Cain and professor Mendel Rosenblum along with five “students with knowledge in security.”

“We will provide clarity on risks that come with using an online platform like Queer Chart, including information on how user data is shared across the platform and what data other users can access,” it said.

In a Daily op-ed, Lee blasted the FoHo report, disputing some claims as inaccurate and exaggerated and questioning the outlet’s journalistic ethics. 

Accessing the vulnerability

The founders emphasized that the exposed data was only accessible to Queer Chart users, who they said could create an account in two ways. They could either provide a Stanford email address or use a non-unique link originally sent to 200 individuals who had RSVP’d to a party called “The Second Coming,” billed on Facebook as an event for womxn, non-binary and femme individuals.

“Given a widely-shared link, anyone in the world could make an account and harvest sensitive data on a good chunk of Stanford’s queer population,” the FoHo reported.

Lee wrote in her op-ed that is “not untrue” but a “gross exaggeration.”

“For any external exposure, a Stanford student (likely queer themselves) would have needed to deliberately share the link with a malicious outside user,” she added. 

Awareness of the vulnerability

The FoHo also reported that, according to anonymous tipsters, the Queer Chart founders knew about the vulnerability before FoHo reporters approached them. Ewald did not respond to The Daily’s request for elaboration on the number of tipsters or how they arrived at this conclusion. 

“Tipsters alleged that the team was aware the product was exposing users’ private data and neglected to implement a fix,” the report stated, noting that the founders denied being aware of the vulnerability.  

The founders also denied to The Daily that they had of any prior knowledge of the vulnerability, and Lee elaborated in her op-ed.

“We had spent all of October pleading with our beta users to report bugs and give us feedback; this was obvious in our various publicity emails,” Lee wrote. “The allegation that we, members of the queer community, deliberately overlooked issues that concerned the privacy of our users, a lot of whom are our good friends, is deeply upsetting.”

Startup Garage connection

Queer Chart co-founder Haart is enrolled in STRAMGT 356: “Startup Garage,” a fall-quarter Graduate School of Business course that helps students test new business concepts. After her partner stopped showing up to the class, Haart asked permission from her co-founders to use Queer Chart, which they had begun independently developing at the start of the quarter, as her Startup Garage Project, she said. The other three founders began auditing the class, Lee said.

“This class is helping us reach out to more queer women and define the problem,” Haart said.

Stefanos Zenios, the faculty director of Startup Garage, said it would be a violation of student privacy to confirm or deny whether a team working on a project is part of Startup Garage. However, he said activities like launching a minimum viable product are beyond the scope of the course in fall quarter. 

“If students go rogue, disregard the lessons and processes in the class and do things outside the classroom assignments that are not consistent with the principles we teach in class, there is not much we can do until we find out,” Zenios wrote in an email to The Daily. 

“We take the privacy of all individuals very seriously,” Zenios added. “We have never had any issues with privacy related to activities pursued as part of the Startup Garage assignments and we have had teams work on some very sensitive issues affecting very vulnerable communities (e.g. drug rehabilitation, rehabilitation of felons, etc).”

“[T]he purpose of Startup Garage is to teach students a responsible process to launch new ventures,” he added. “We focus on the process and we are very systematic in which activities need to happen when so that vulnerable communities are protected. The process is designed to prevent the issues described in the article, as long as the process is being followed.”

This article has been updated to include the Tuesday change to the Queer Chart website.

Contact Paxton Scott at paxtonsc ‘at’ stanford.edu.



Login or create an account