Freshman chemical engineering major Reza Hashemipour found that anyone could change a user's password by knowing only the account name, which is also the user's e-mail address, according to The Diamondback.
By changing the password, a hacker could access the account and do anything from dropping a student's classes to changing teachers' grades, the paper reported.
The security loophole may have been available for up to three years, but was quickly fixed after the student told the student paper about the problem. The paper then contacted the university, which patched it right away. Hashemipour said he didn't tell anyone else about the flaw before reporting it to the student paper.
How did it happen?
First, a bug in the password website allowed an attacker to change another user's password security questions with no special knowledge about the user. To change a forgotten password, a user must correctly answer these security questions and enter his or her social security number and birth date.
The second error allowed an attacker to enter arbitrary answers in the social security number and birth date fields, putting him or her directly through to the security question maintenance page without correctly providing any of the values.
The director of IT security at Maryland said a reward might be given to Hashemipour for finding the flaw.
"This isn't messing with your Facebook," Hashemipour told The Diamondback. "This is your entire academic career."