University credentials used by third parties

[Justin Sherenco <jsherenco () EMICH EDU>]

Hello,

Recently a local on-line news site
(http://www.annarbor.com/news/university-of-michigan-students-can-wager-on
-grades-via-website/) wrote an article about a new website that lets
students bet on their own grades.  The betting aspect aside I was
intrigued by this line "they have to register and upload their schedules
to grant the site access to school records."  To investigate further I
went through the account set up process and found that the student has the
option to allow the site to automatically download their student records
(see attached ultinsic2.jpg).  It actually asks for their academic user
name and password!  EMU is currently not on their list of supported
schools but they mention will be rolling out nationally.  We have policies
and standards in place that say don't give out you password and in my
opinion giving credentials to this site would violate them.  Are there any
other Universities investigating the use of usernames and passwords used
by third party web applications not sanctioned by the University?  Any
talk on actually blocking a site like this from automatically logging in
(system stability/privacy/security issues?) or is this more of users
choice?  

 

 

Regards,

Justin

 

-------------------------------------

Justin Sherenco, CISSP

Easten Michigan University

Security Analyst

http://it.emich.edu/security