Teen Hacks his School Software and Exposes the Data of Millions of Students
A teenager has uncovered numerous flaws, including SQL injection and XML inclusion vulnerabilities, within software used in his school.
18-year-old Bill Demirkapi discovered flaws in, among others, Follett's Student Information System and Blackboard's Community Engagement software, when he was 16, and continued his research right up to his graduation this spring.
Hacking Blackboard’s Community Engagement gave Demirkapi access to the records - from phone numbers to discipline records, bus routes and class schedules - of more than 5,000 schools and around five million students, while Follett’s Student Information System included student passwords that were unencrypted and in fully readable form.
According to Demirkapi, who gave a presentation at the DEF CON 27 conference in Las Vegas, there was nothing high tech about his way of accessing the data: "My method of finding vulnerabilities was ... really inadequate and non-professional. It was just looking at pages and trying to mess with the parameters. The state of cybersecurity in education software is really bad, and not enough people are paying attention to it."
Among what Demirkapi discovered was a local file inclusion flaw that redirected users to a servlet called toolResult.do when they downloaded their report card or schedule.
"After running a tool or attempting to download a file shared with the user, a request to toolResult.do is made. By modifying the fileName parameter to the proper path escape, an attacker can access any file on the system," said Demirkapi, who also found "SQL injections galore" in the Blackboard software.
"I grabbed a list of links through a crawler and using Chrome Web Tools, I would then try and find interesting parameters to play around with and see how the server reacted when it received unexpected input. For parameters that responded to characters commonly used in SQL injection, I put them through SQLmap."
Demirkapi passed on his findings to his school's IT department. However, it ended up being viewed by every school in his district and he was suspended from school for two days. He made any further disclosures to the CERT Coordination Center.
Demirkapi closed his presentation at DEF CON with a message to schools, saying they needed to take data security seriously and not make judgments based on a sales pitch: "Don't fall for marketing. Just because (vendors) say they take care of data doesn't mean they do."
***If Bill Demirkapi's name rings a bell, it may be because you read about him in another story that appeared on SecAlerts: Remote Code Execution Found on Dell Computers.