University internship web-app cross-site scripting vulnerability.

Question

My university is currently undergoing paid internship applications. Past terms have had a large number of positions available, but this term, as one might expect, there are not many positions available and the field has become very competitive.

The web-app has every student upload an HTML formatted resume which is "Validated" server-side.

While updating my resume, I discovered a persistent cross-site scripting vulnerability which allows a malicious HTML resume to change their apparent grades, major, classes taken, past internship information, any information in the application package employers will see.

Worse yet, I suspect the XSS allows for session hijacking of employers.

I decided to Do The Right Thing™ and put my white hat on. I informed the officials in charge of handling fraudulent applications in a very detailed e-mail and gave a proof-of-concept HTML resume and described two possible fixes. They quickly responded by thanking me and telling me that the maintainers of the site will be notified.

The vulnerability is still present and employers will be receiving the application packages within a few days.

I fear that many students might be exploiting this and doctoring their applications to give them an advantage in this competitive time.

Should I attempt to inform the employers that this vulnerability exists?

I've thought of changing all my grades and internship reviews to perfect for my applications to security jobs and putting a button to toggle showing my actual grades and inform the employer that they should check the HTML source to get everyone's un-tampered applications.

This would make my resume stand out enormously and would inform only employers in the security field.

Ethically, am I throwing away my career if I inform my potential employers?

PS: I am not considering using the vulnerability to doctor my applications without making it abundantly clear to the employer than it is possible to alter the information. That, would be clearly wrong, could get my expelled without a diploma and may be illegal where I reside. My actual performance in school is sufficient to get me a job without cheating.

Answer 1

Let your school handle it - you've already done your part. Letting the employers know, without your school's consent, will only damage your school's reputation in their (the employers) eyes.

Answer 2

Even using what you describe, a button to toggle between the real and doctored grades and having it set up so that it's clear to the employer what's going on, there's a reasonable possibility you could be expelled without a degree. It could, though one set of glasses, be viewed as hacking, and if what you did embarrasses someone, you can be almost certain that he'll be wearing those glasses.

As you seem to see, in these situations you have to weigh doing the morally correct thing, which is to try to keep the web site owner from allowing the employers to be cheated, and the possible bad consequences to yourself for doing so. In this case, I'd say that the bad consequences could have a lifetime effect, and you should probably just say nothing about this. You're smart enough that in a few years you'll have moved into a stronger position politically, and will then be able to start taking on these sorts of battles.