Their website describes the program as follows
The Princeton Experimental Laboratory for the Social Sciences (PExL) is dedicated to experimental research in the social sciences. Inter-disciplinary at its core, the laboratory offers resources for members of the Princeton University community to take part in frontier research in Economics, Finance, Psychology, and Political Science. PExL opened in 2018 as part of the Economics Department at Princeton.
What data was exposed?
 |
| a sample from a batch of several 14-page PDF documents that had this same format with the legend "PExL Participation Payment Receipt" |
On January 22, I discovered a completely exposed Google APIs storage containing several files related to the PExL program at Princeton University one of the most prestigious institutions in the Ivy League.
Among the files were those named PExL Participation Payment Receipt, which included personally identifiable information of participating students: full name, handwritten signature, UID (student identification number), and the amount paid for their participation in the program.We verified that the data was genuine by conducting a Google search: the names matched individuals who, according to publicly available records from that period, were indeed Princeton students at the time. The document dates ranged from 2018 onward. The storage did not expose a large volume of information, but it did contain files that should never have been publicly accessible. With this evidence, we proceeded to notify Princeton University.
Notification
On the same day, I sent an email to the university presenting it as a responsible disclosure to the infosec contact at Princeton. Unfortunately, the next day I discovered that my entire message had been rejected by the mail server due to an administrator-configured rule: only senders from the @princeton.edu domain are authorized to send messages to that address.
This makes no sense to me at all. An infosec or security reporting address should be open to external reports especially legitimate vulnerability disclosures or responsible notificationsand should not block submissions from outside the university.
On January 26, I had to try again and sent the email to the academics responsible for the PExL program, explaining what had happened. Those emails did not bounce (they had no such restrictions), but I received no response or even acknowledgment of receipt.
On January 28, I had the idea to inspect the source code of the PExL webpage, and there I found the storage bucket with its address fully open and publicly accessible. I then drafted a new email, adding that the page was exposing this open storage and that it should not be publicly available especially given the sensitive files it contained (such as the payment receipts with names, signatures, and UIDs).The very next day, the storage was blocked. Coincidence or not?
Finally
I recall that last November, news broke about a cybersecurity incident involving this university. While this situation may not carry the same level of risk as that previous case, it is a clear indication that security practices are not sufficiently robust. Anyone could access those files; no effort was made to properly protect or restrict them.
I took the time and effort to report this to you, and it was not a pleasant experience. I felt discouraged when I saw the automated email response from the administrator, which effectively discourages legitimate reports. It’s very likely that other fellow researchers or well-intentioned individuals wanted to notify you but gave up after seeing that message.Furthermore, unfortunately, I had to reach out to contacts who have no connection to the infosec field, when ideally there should be a dedicated, serious channel for notifications from researchers or responsible disclosures (for example, a specific email address for vulnerability disclosure or security reports). I know you are an Ivy League institution, and precisely because of that, a higher level of concern and diligence regarding cybersecurity across your environment would be expected.
