News

Teen Hacks his School Software and Exposes the Data of Millions of Students

Giulio Saggin
Giulio Saggin
Tuesday 28 November 2023

A teenager has uncovered numerous flaws, including SQL injection and XML inclusion vulnerabilities, within software used in his school.

18-year-old Bill Demirkapi discovered flaws in, among others, Follett's Student Information System and Blackboard's Community Engagement software, when he was 16, and continued his research right up to his graduation this spring.

Hacking Blackboard’s Community Engagement gave Demirkapi access to the records - from phone numbers to discipline records, bus routes and class schedules - of more than 5,000 schools and around five million students, while Follett’s Student Information System included student passwords that were unencrypted and in fully readable form.

According to Demirkapi, who gave a presentation at the DEF CON 27 conference in Las Vegas, there was nothing high tech about his way of accessing the data: "My method of finding vulnerabilities was ... really inadequate and non-professional. It was just looking at pages and trying to mess with the parameters. The state of cybersecurity in education software is really bad, and not enough people are paying attention to it."

Among what Demirkapi discovered was a local file inclusion flaw that redirected users to a servlet called toolResult.do when they downloaded their report card or schedule.

"After running a tool or attempting to download a file shared with the user, a request to toolResult.do is made. By modifying the fileName parameter to the proper path escape, an attacker can access any file on the system," said Demirkapi, who also found "SQL injections galore" in the Blackboard software.

"I grabbed a list of links through a crawler and using Chrome Web Tools, I would then try and find interesting parameters to play around with and see how the server reacted when it received unexpected input. For parameters that responded to characters commonly used in SQL injection, I put them through SQLmap."

Demirkapi passed on his findings to his school's IT department. However, it ended up being viewed by every school in his district and he was suspended from school for two days. He made any further disclosures to the CERT Coordination Center.

Demirkapi closed his presentation at DEF CON with a message to schools, saying they needed to take data security seriously and not make judgments based on a sales pitch: "Don't fall for marketing. Just because (vendors) say they take care of data doesn't mean they do."

***If Bill Demirkapi's name rings a bell, it may be because you read about him in another story that appeared on SecAlerts: Remote Code Execution Found on Dell Computers.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203