
How we hacked Blackboard and changed our grades (2018) - got-any-grapes
https://bustbyte.no/blog/how-we-hacked-blackboard-and-changed-our-grades
======
_nickwhite
When I was in college around Y2K, I took a "Foundations of Music" class
offered online- an elective that taught, well, foundations of music,
specifically how to read music. Students had to install this janky, low-
quality, Windows Visual Basic application and do 100% of the coursework using
it. This VB app would output a results file, and then we had to upload it to
the professor. Well, I edited the file, and found that it had a primitive CSV-
like format where right answers were basically question1=1 and wrong answers
were question1=0.

So theoretically, I could have just generated answer files for every single
lesson for the whole semester- and a lot of them I did. BUT, I was scared that
the final exam was going to be conducted on-campus, where it would be less
tenable to be a dirty-rotten-cheating-scumbag.

So I actually had to learn the coursework, and learn how to read music and all
its intricacies. (I do not play an instrument unless you count guitar chords.)

When the final exam came, instead of it being on-campus, the professor used
the EXACT SAME VB application to run it. It took me about 5 minutes and I
scored a 100% on it thanks to notepad.exe.

There's a moral to this story somewhere. I use notepad.exe a lot more these
days than I read music, so perhaps it was foreshadowing an IT career?

~~~
Smithalicious
A moral of the story is that people will optimize for what's being measured,
not what is intended. Machine learning does this even more so, with hilarious
results.

~~~
mdorazio
Yup. Another example of this is when I was in college and other students would
go on ratemyprofessor or look up grade distributions for different professors
and class options to pick the easiest ones. The thought of, you know, actually
learning something even if it was hard wasn’t even a consideration - they just
wanted the GPA.

This continues in the working world as well, unfortunately. Many employees
will optimize behaviors and attention to what’s most likely to get them a
bonus or promotion regardless of how damaging it is to other people, users, or
the company long term.

~~~
tombert
The "choosing the easy professor path" always bothered me too; I always felt
that it was stupid to go to college just to get the receipt, so I purposefully
didn't do the ratemyprofessor thing, though now I almost wish I had, since I
ended up on academic probation and eventually dropping out...though that might
have less to do with my class selection and more to do with me spending most
of my time playing Minecraft, upon reflection.

I think _good_ companies (which are incredibly rare) will figure out how to
make the behaviors that get people bonuses and/or promoted coincide with the
ones that are good for the company long-term. Sadly, it doesn't seem to happen
that way too frequently.

~~~
really3452
I would use rate my professor to make sure that I didn't end up with an over-
the-top difficult general class that I didn't really care about but needed to
fulfill a requirement (Art history, public speaking, etc). That way I could
optimize my study time to focus on in-major classes.

------
bredren
When I was in high school, the “good” PCs were locked with a boot password.
Only upper level cs students could use them.

It was somewhat annoying to have to get our teacher to enter the password each
time it froze etc. Partially because higher level classes were all individual
study and often math classes were in progress in the same room. So it could
take a while to get the teacher’s attention.

So one time some classmates switched the keyboards between two computers and
handed one to the teacher to enter the password.

As the characters appeared in plaintext, another student typed the characters
into the boot screen as fast as possible.

The boot password was passed down as a secret between juniors and seniors for
years.

~~~
hencq
Hahaha, this is genius. I love the inventiveness of the low-tech keylogger
here.

------
tomatohs
When I was a junior, I mentioned to my housemate that I had forgot my
Blackboard password. "It's just your birthday" he said, and I looked at him
shocked.

30 Minutes later I was in my professor's account. Their birthday month and day
were public on Facebook, so it was only a matter of guessing their age.

I reported this to our IT department and they were not pleased. They let me
know they had the power to expel me but wouldn't.

A week later, I found another exploit. I think blackboard group chat allowed
JS execution outright. I redirected the class to "disney.com" but never
disclosed it to IT because of the earlier threats.

~~~
XIVMagnus
I have and forever will find it extremely stupid to threaten someone with
expelling them for trying to HELP you do your job.

~~~
danesparza
School (the institution) is not about learning. School (the institution) is
about conformity. And finding exploits is anything BUT conformity.

~~~
packet_nerd
It _should_ be about learning. I think finding exploits should be encouraged
and rewarded.

~~~
danesparza
Agreed.

------
codr7
I once wrote a memory resident keylogger back in high-school to catch the
lonely sysadmin's network login. Not that I knew what to do with the login, I
just wanted to prove to myself that I could.

I got plenty of logins, but not the one I wanted. Until a friend looked over
the sysadmin's shoulder. I lost interest right there, but my friend went on to
wreck the entire network by mistake and barely escaped paying for the whole
mess.

Have to give some credit to the sysadmin for the catch. To figure out who was
messing with his stuff, he put a program that emitted a high frequency tone
through the PC-speaker in his login script and sat down next door to wait for
my friend to take the bait.

------
nabergh
When I was a high school sophomore, Blackboard allowed you to customize your
student homepage with widgets, one of which was a "notes" widget which allowed
you to save random strings which would be displayed on your page next time you
loaded it. Fortunately, if you saved arbitrary html, it would be rendered so
we embedded flash games for us to play during classes which allowed computer
use.

------
kirykl
Years ago I had an internship, in the lab there was a couple airgapped PCs
with some confidential stuff on them, at least above my pay grade of $0. I was
bored and tried logging with admin/admin and it worked, basically giving me
root level access. I reported it, IT security interviewed me and I wasn't
allowed near the PCs for the remainder of my internship.

~~~
Zhenya
Seems like their punishment should have redirected at themselves.

------
danso
Seems to be no mention of a bug bounty (or a thank you email), despite the
severity of the bug and its cleverness.

~~~
antsar
Worse,

> 02/27: Attended conference call with Blackboard and NTNU to explain exploit

> Blackboard stopped responding to our e-mails 02/28.

~~~
mnky9800n
If they were American they would probably be in prison now.

~~~
TrackerFF
We had another case in Bergen (Norway) where some 13 year old kid wrote a
script to search files on school HD for things like usernames, etc.

To his big surprise, he found his own. On a spreadsheet, with usernames and
passwords of 35000 others, in clear text

Turns out students had credentials to such places.

He tipped the school, who in turn called the cops on him. Cops went to his
home and confiscated his computer.

~~~
food_eater
Well I'd say that student got a lesson that years of schooling could never
provide!

------
choeger
Ok, I might be a little out of date with my web development knowledge, but my
first question would not be about the origin but about the embedding itself.
The user's input is rendered in the web frontend of blackboard? Why?

And second, how did they actually exploit it? Presumably the authentication
works by some kind of token, right? Is the client js generally allowed to
perform http requests outside of the origin domain? If not how did they hijack
the authentication?

~~~
maxyme
The student's input is rendered for teachers to make it easier to grade
submissions without opening them in an external tool.

As someone who used blackboard in college I can tell you it's a mess. Neither
teachers nor students like it. It integrates with a ton of 3rd party libraries
to be "helpful" by embedding content like this but ends up with a ton of
different, inconsistent and often broken experiences.

~~~
mikeyouse
And they're extremely litigious on IP matters which makes competing with them
a nightmare.

------
the_watcher
My freshman year of high school, some seniors got in trouble for changing
their grades (I'm almost positive we used Blackboard). Ironically, the kids
who did this were all excellent students and the modifications were things
like "A- is now an A". The teachers talked about the kids being hackers and
that recording grades in software wasn't safe because it meant hackers could
always get an A.

Turned out, there was an admin account (u/p: admin/admin or something equally
trivial to guess) with superuser access that someone learned.

------
tru3_power
A while back I looked into blackboard and did some light black box security
testing on a demo app. From what I remember it was like Swiss cheese.
Ultimately I stopped looking because they didn’t seem too interested. Some of
the good ones I found were arbitrary file I/O issues, a few IDOR related
problems as well. None of this surprises me.

------
swsieber
The funnest school computer exploit I figured out was how to run a game from a
USB drive (circa 2007).

I was in an accounting class (using excel) and I tended to finish the earliest
with our in-class work because of judicious use of formulas and copy-paste
(instead of entering data twice for the two-ledger stuff).

The computers were set to disallow running unapproved programs, but I figured
out that you could launch an executable from within a zip file (the computers
ran XP IIRC). The only thing left to do was to configure the game at home
(before zipping it up) to save files, look for other config, etc. from the the
drive letter the thumbdrive would be mounted at at school because it of course
couldn't save the updated settings to the zip file.

I had a good teacher - he let me sit at the back, and I just kept the volume
down :)

------
tombert
I remember when I was a teenager in high school, I found out that
ftp.<my_school_district>.net was open, with the login of "admin" and password
of "admin".

I wasn't able to figure out how to change my grades (and I would like to think
that I wouldn't have even if I could have), but I did find a directory of all
their registered software that I was able to download, and the teachers'
profile pages were editable. If I recall, I think I edited the profile of one
teacher (that I was reasonably certain wouldn't get me in trouble if I got
caught) to end with "Mr. <Teacher's Name> is a goofball".

~~~
saalweachter
I think the most maddening thing you could do in that scenario without being
_malicious_ would be to just log in periodically, pick a teacher at random,
and "corrupt" their name randomly. Switch two letters, insert random symbols
and numbers, etc. Don't make the names insulting or anything, just make a
subtle, visible, slowly progressive 'bug'.

Assuming it isn't ignored, you can smile to yourself years later at the
thought that there is a bug report open somewhere that a poor engineer has
probably spent weeks trying to reproduce.

~~~
tombert
I didn't really want to make anyone's life miserable; I'll admit that the
thing I wanted most was to be able to do what Matthew Broderick did in
WarGames and change grades, though as stated I at least told myself I wouldn't
actually go through with it.

------
elwell
When I was in HS, it was GradeQuick, and my teacher typed his password in
front of the whole class on an on-screen keyboard of his tablet projected on
the wall. I tested the password out, but didn't change anything.

------
d--b
This seems to require a lot of trial-and-error. How did they do it? Did they
send tons of crappy content to their teacher before finding the vulnerability
that passed the filter?

~~~
hippich
From the video it seems they had instructor's access.

But in the real life they could save a draft and view it a student to see if
they can hijack the session.

Another perhaps lesson - if security really matters - perhaps instructors and
students should have completely different decoupled apps to do the job.
(security through obscurity)

------
pi314s
We need more stories like this :) Break the system, demonstrate how it's done,
and let it improve itself. White-hat hacking, isn't it?

------
onemoresoop
Changing your grades may look like a thrill now but in the long run you're
only screwing yourselves.

~~~
viklove
Yeah earning that A in Sociology 101 really changed my life's trajectory.

~~~
onemoresoop
If you earned that grade honestly a few ideas may stay with you for your
entire life and that may change your life, even if imperceptibly. Anything you
study has the potential to make you a better, more well rounded, knowledgeable
and less ignorant person.

~~~
teppifk
> Anything you study has the potential to make you a better, more well
> rounded, knowledgeable and less ignorant person.

This is a pretty meaningless sentiment. There are plenty of things one can
study that will lead to more ignorance and less well-roundedness. In the
extreme, this is pretty much how cults can operate. I believe it also applies
to a number of subjects in mainstream universities, but I am not going to hop
into that fire pit.

~~~
onemoresoop
You already did. Why not choose the right university/curriculum that you're
interested in? Or you have a problem with most of them?

~~~
teppifk
No I did not.

It's a _university_.. there are a broad array of departments and courses, and
I am saying that a handful of them at a multitude of universities have the
potential to close minds and lead to more ignorance - this broad statement
isn't too controversial - witnessed by the very vocal debate about it. I am
not going to jump into the pit of the specifics of that debate though.

