Rather than writing their own code, Harvard and a bunch of other well-funded business schools outsourced the job of creating an online application system to a firm called ApplyYourself. The firm did such a craptastic job of coding even the most basic security into their application that students soon discovered they could learn the status of their application simply by sticking their name onto the end of the URL.
You’d think that would be bad for ApplyYourself, and it probably is. But guess who it’s worse for? Every student who got curious and tried the URL “hacking” trick is being denied admission. So: Strike one against Harvard for hiring a lame development firm. Strike two against Harvard for punishing students for their own security holes. Strike three goes to students who failed to learn from Curious George that curiosity can only lead to trouble. It’s not like the students broke into the system — they walked in through the side door. And without malicious intent or consequences.