myTRU portal bug leads to students accessing each other’s accounts

The discovery of a software bug in the myTRU portal has prompted the university to disable myTRU’s automatic password resetting feature until further notice. Students can still change their myTRU account’s password by submitting a password reset request to the university.

The bug made it possible for myTRU users to access other students’ accounts when two individuals attempted to reset their myTRU passwords online at the same time, but it is unlikely that the bug was exploited maliciously before it was discovered, according to TRU VP of advancement Christopher Seguin.

“It wasn’t public knowledge that it could be done,” he said. “We predict that all of the access was accidental and done by people within the TRU community. There was no intent and they weren’t seeking the information.”

The mistakenly-granted access ended once the user’s session was ended by either closing the browser or logging off, according to an announcement sent to the TRU community. “This means that only the people who have reset their password using the automatic feature would have had the possibility of being affected,” the announcement read.

The software vulnerability was discovered when affected myTRU users notified the university and submitted incident reports, Seguin said.

According to TRU’s written statement, “private information could have been accidentally viewed by another member of the TRU community between October 2012 and March 16, 2015.”

“We have received no indication whatsoever that an unauthorized individual has misused any information and we have reported the incident to the Office of the Information and Privacy Commissioner,” the announcement read.

“[Students will regain access to the automatic reset feature] when we are absolutely sure that the feature has been repaired,” Seguin said. “Until then, we are going to take no chances and we are going to do it manually.”

As a precaution, TRU recommends that students review their financial information and bank transactions. Errors or irregularities should be reported to your financial institution and TRU’s Privacy Office at 250-828-5012 right away. For other questions or concerns, the university asks that students contact the TRU Privacy Office by email at privacy@tru.ca or by phone at 250-828-5012.