
Teen Hacker Finds Bugs in School Software That Exposed Millions of Records - nreece
https://www.wired.com/story/teen-hacker-school-software-blackboard-follett/
======
sersi
Wired should be more careful when saying "He did, in a separate incident,
exploit flaws in a college admission software to change his admission status
to "accepted" " when in fact he found that security vulnerability and
immediately reported it.

------
thrownaway954
I know SecLists Full Disclosure exists, but it is a shell of it's former self:
[https://seclists.org/fulldisclosure/](https://seclists.org/fulldisclosure/)

What are other places can someone report a vulnerability that will get
companies to actually listen and fix the issues reported? Is there a Google
Project Zero for the rest of us?

~~~
Chris2048
Perhaps the dark-web should set up shop and bid with foreign/bad actors for
these disclosure. Then these companies might care to put in a bid, and long
for the days they could have gotten them for free.

~~~
abfan1127
Ebay for Zero Days? that's actually interesting.

~~~
delinka
Is this not how it works already? I'm not a darkweb participant, so I'm pretty
clueless - I'd have assumed something like this exists.

~~~
Chris2048
It's not exactly consumer friendly. Maybe there's space for a "darknet broker"
that assumes the risk of selling on the DW and prices up info for you.

------
Aeolun
Isn’t it sad that the software we’re paying millions for has such elementary
mistakes?

Is this just a case of ‘Nobody ever got fired for choosing Blackboard’?

~~~
mieseratte
> Is this just a case of ‘Nobody ever got fired for choosing Blackboard’?

I would say it's more a case of "Nobody ever got fired"

As a former high-school hacker, I routinely reported major holes to District
IT. No one gave a damn. Only once I started poking around private financial
data did they raise hell, and even then it was "Show us what you have, tell us
how you did it, and we'll let you walk. Otherwise we'll get the police
involved."

Handed over my laptop, the IT guy managed to play some Rammstein accidentally
but otherwise found nothing of note. I was banned from bringing, touching, or
even being near a computer, my assigned seating was moved in all classes
directly to the front, and that was that.

Kept in touch with a few of the tech-interested Freshman I knew during my
Senior year, nothing was ever patched, nothing changed over the ensuing years.
The exact same exploits I informed them of were not touched.

There is simply no culture of accountability.

~~~
dvdkon
Being a "high school hacker" myself, I'd like to offer a slightly less dreary
perspective.

Some time back, I found multiple critical vulnerabilities in the most used
school database system in the Czech Republic. The whole software is a mishmash
of native Windows apps in Delphi and Visual FoxPro and an ASP.NET web
interface built in a combination of VB, C# and WebForms. The desktop apps
access MS SQL Server directly and security seems to have been done by a very
uninformed person (the functionality is only a little better).

I first told my school's network admin, who contacted the developers, who
fixed the issues relatively quickly. Everything went relatively smoothly for
me, but I know this depends mainly on the individual people involved.

~~~
rjzzleep
When I was in high school my teacher actually proudly introduced me to the
makers of the software they were using. They immediately dismissed it as known
limitation not a bug. It allowed us to run arbitrary applications/code in
their Kiosk application.

In university where they still had HPUX I asked the IT department if I could
get printer credits in exchange for exploits I report and he immediately got
angry saying I should be proud to report them.

Needless to say I ended up not reporting anything and just keeping them to
myself. Thinking back I guess reporting it somewhere(maybe not in school)
could have gotten me more opportunities, but who knows. I kinda wish there was
some sort of mechanism to push people to make something out of their talents
instead of suffocating them.

------
throwaway-ehki
I think this is a space where concerned parents with technical knowledge can
help, not by hacking, but by asking for documentation like proof of security
audits from their local school board. It’ll up the pressure on vendors to get
their act together.

------
Conlectus
Interesting to see this come up. About 2 years ago I found a similar exploit
in blackboard (XSS that could lead to session hijacking) and found that there
was absolutely no way to report the vulnerability except through their help-
and-support chat.

After reporting it, they thanked me and said they would be in touch when they
addressed it. I never heard from them again, and it seems they didn't take
security much more seriously.

~~~
save_ferris
Had a similar issue with Southwest Airlines a while back. I wound up emailing
a VP directly with screenshots and repro steps by looking up other SW email
addresses to figure out their work email format, and then getting the VP's
name from LinkedIn.

The VP responded pretty quickly, forwarded my email on his people, and I wound
up getting some free miles.

I was kinda surprised to learn how easy it is to get most corporate email
addresses through this experience.

------
andybak
> But Gatsis also claimed that even with the security flaws he exploited,
> Demirkapi could never have accessed Follett data other than his own.
> Demirkapi counters that he "100 percent had access to other people’s data,"
> and says he even showed Follett's engineers the password of the friend who
> had let him access his information.

So - someone is lying. Isn't lying about the extent of a security breach a
fairly serious matter? Blackboard operates in the EU. Is the disclosure
portion of the GDPR retroactive?

Of course - I'm not making any presumptions about which of the two parties is
a liar!

~~~
radicalbyte
Have you ever seen or used Blackboard? It's probably the worst "large"
software system I've used outside of something built within an enterprise.

~~~
nicoburns
Blackboard is awful. When I was at uni, I actually wrote a scraper to auto-
download my course content so I didn't have to use the Blackboard UI. It's
upwards of £100k/year too. Definitely a market ripe for a competitor!

~~~
LeifCarrotson
The awful UI and pervasive install base shows that Blackboard's fitness in the
market is not tied to their UI or other tech decisions. Building a successful
competitor to Blackboard is not predicated on your ability to design a
prettier, faster, more usable interface or a simpler, more powerful feature
set. It's 100% based on your ability to do enterprise sales to universities.

~~~
pbhjpbhj
Just because the incumbent lacks finesse doesn't mean you can 'eat their
lunch' without having better features or a better UI.

People need a reason to change the software they use; when it means retraining
a district full of teachers then the reason needs to be good.

~~~
LeifCarrotson
A better product may be necessary, but it's definitely not sufficient.

~~~
pbhjpbhj
Absolutely.

Sometimes, unfortunately, you can get away with a worse product and better
marketing!

------
bsenftner
Now consider that for 10 years, minimum, these exploits have been known and
easily discovered... enabling enough private data of high school students
anywhere these applications were used to manipulate the students and/or more
easily social engineer accounts at other institutions. The information gained
undoubtedly contained social security numbers, parents full names and so on -
the exact verification information used to "recover" lost passwords at
locations not yet supporting multi-factor authentication.

------
mariuolo
I'm surprised they didn't go Aaron Swartz on him.

------
cantcomplain
My school has blackboard for awhile now, I've always suspected it to be
vulnerable but never really tested it. Particularly, you can make forum posts
and view/edit the HTML that the WYSIWYG editor creates. This always made me
feel like there's probably an XSS vulnerability there

------
userbinator
10-15 years ago you would keep things like this quiet and maybe share it with
your closest friends. Now it's like everyone is scrambling to show how "good"
they are. Something has changed, and I'm not so sure if it's for the better...

~~~
kossae
How is disclosing critical security vulnerabilities responsibly a bad thing,
again?

~~~
flowersjeff
Would also like someone to perhaps chime in too...

In the "good" old days (some of us will recall mind you), those in power ($)
controlled all information flow. We now have (though not as strong as I would
like it) outlets in which an individual, without corp sponsorship, can have
their voice hosted and maybe heard. This is a vast improvement.

~~~
userbinator
To those wondering what I meant, I've heard the saying goes like this: "those
who work in a noose-making factory should be wise to not make them too strong,
lest they find themselves with one around their necks." It's not directly
applicable to this instance, but more aimed towards those who are literally
helping companies strengthen their walled-garden control.

 _those in power ($) controlled all information flow._

...replace '$' with 'knowledge (of bugs, etc.)' and that would be more
accurate.

