CUT Student Allegedly Hacks Into Results Portal & Alters Grades

Farai Mudzingwa Avatar

A university of Chinhoyi Student has allegedly been arrested after hacking into the University’s results portal and altering grades for himself and other students.

For altering the results of 7 other students, it’s claimed he received varying amounts of US$ payments and then proceeded to use a technique called SQL Map which is an SQL injection technique to hack into the institution’s database.

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.

SQL Map – which was allegedly used in this case- is actually an open-source penetration testing tool that automates the process of detecting and exploiting flaws to take over database servers.

The presence of such a flaw also means other students could have been silently exploiting it for years without being caught and if it isn’t patched ASAP then other students will exploit the flaw and if they don’t get greedy and offer to alter results of other students at a cost, they’ll walk away scot-free.

Should he have been arrested?

One of the main talking points that has become contentious since this story broke is that this student shouldn’t have been arrested. A number of people believe he should have helped the school’s security team to patch the flaw.

Personally, I think that’s a naive approach. If someone commits a crime why should they be rewarded generously for that? If someone broke into your house whilst bypassing the alarm system, would you recommend the alarm company hire him/her to patch out the flaws?

Whilst that isn’t the best analogy in the world, I think it’s fair to assume you would want that person to be arrested and then disclose how they committed the crime to the police. That way a criminal has been removed from society and you have found your way to patching your security systems. What’s your opinion on this issue? Should he have been arrested?


What’s your take?

Your email address will not be published. Required fields are marked *

  1. Witker Tholana
    1. Mafuva Edmond

      Thus juvenile deliquence.

  2. lionel

    Indeed for every wrong doing you just got to pay the price, on the other hand the lad has considerable potential which might prove useful if exploited thoroughly. I wldnt send him to prison but instead commute his sentence to something more useful in regard to the institute`s info sec and other organisations. SQL injections are probably 20+ years old now, and this begs for the question which rock has the IT department been living under??

    1. Anonymous

      Industrial espionage candidate?

      1. lionel

        you see..the know how is in quite a demand,and what sell to the highest bidder🤔?, ‘interesting businèss model’ or act on behalf of a bigger hand?..quite tempting

      2. Anonymous

        No really, sql injection is the oldest trick in the IT field, I would rather say that the people who created the system are quite dumb sorry to say because that the first security prevention you make in you working with SQL supported application.Two,for the guy who hacked the system, go work to show the vulnerability of the system but I would consider him been a potential candidate in IT field since he still has more to prove

        1. Farai Mudzingwa

          Having met the guy personally I will say on the occasion I met him I did think he had a very bright future and understood computer systems and artificial intelligence in a way few people I’ve met do

    2. anony

      They do not have the money or other resources to afford industry standard security on their academic portal. This is one of the reasons I never learnt in zim coz no international employer or institution is going to take ur transcript seriously after such cases of IT incompetence

  3. Imi Vanhu Musadaro

    SQLMap is a tool, not a technique.

    I wouldn’t call a person who “hacked” into 1 system one worthy of hiring as a security consultant. If he has more skills to bring to the table, it must be weighed against that.

    You are hired as a consultant when the skills you possess are better served being taught to those that will use them legitimately, than being taught to those who could be subversive. Or, if you possess knowledge even legitimate actors do not have.

    Everyone with a copy of Kali Linux is running around calling themselves a hacker or penetration tester. 🤷🏾‍♀️

    1. Stephen Mudere

      Which application suffers from an SQL injunction attack this day and age? Novice developers!

    2. jon snow

      true to a certain extent but not every dumdum is capable of figuring out which endpoint to target or even how to go on from there if a vulnerability is found, the fact that he was able to figure that out makes him stand out and worthy for further ‘weighing’ as you say. He figured out what the ‘learned’ people in the IT department had no idea about/where complicit about. you sound like the CEH typo person😂

  4. Brandon Nyoni

    The fact that he went on to alter the results of other students, he must not be hired for that, instead he must be punished. Thus totally a pooh-pooh. If he is a genius, then why can’t he prove his geniuses genuinely and not behind closed doors.

  5. tinaboy

    How he was caught or found out is what makes him a hero or just a chancer.

  6. Foxx of the FoxxTech

    Well, thus an interesting thing to learn. Are you sure CUT is a university of Technology or a creche?. Do they have DBAs and their own Software Devs or they just pick willers. It really does not make an interesting sound that their DB was injected.
    For the boy, he is a bad boy who does not deserve anything positive. He could have maybe tested the possibility and presented his findings in order for him to be recognized useful. He did a bad thing and his reward for that is punishment.