Hacker News new | past | comments | ask | show | jobs | submit login
Teen Hacker Finds Bugs in School Software That Exposed Millions of Records (wired.com)
174 points by nreece 37 days ago | hide | past | web | favorite | 65 comments

Wired should be more careful when saying "He did, in a separate incident, exploit flaws in a college admission software to change his admission status to "accepted" " when in fact he found that security vulnerability and immediately reported it.

I know SecLists Full Disclosure exists, but it is a shell of it's former self: https://seclists.org/fulldisclosure/

What are other places can someone report a vulnerability that will get companies to actually listen and fix the issues reported? Is there a Google Project Zero for the rest of us?

Perhaps the dark-web should set up shop and bid with foreign/bad actors for these disclosure. Then these companies might care to put in a bid, and long for the days they could have gotten them for free.

Ebay for Zero Days? that's actually interesting.

Is this not how it works already? I'm not a darkweb participant, so I'm pretty clueless - I'd have assumed something like this exists.

It's not exactly consumer friendly. Maybe there's space for a "darknet broker" that assumes the risk of selling on the DW and prices up info for you.

Wow! those numbers have really fallen.

It's a bit off-topic for the larger discussion of this bug, but how come?

I guess managed bug bounty programs

Isn’t it sad that the software we’re paying millions for has such elementary mistakes?

Is this just a case of ‘Nobody ever got fired for choosing Blackboard’?

> Is this just a case of ‘Nobody ever got fired for choosing Blackboard’?

I would say it's more a case of "Nobody ever got fired"

As a former high-school hacker, I routinely reported major holes to District IT. No one gave a damn. Only once I started poking around private financial data did they raise hell, and even then it was "Show us what you have, tell us how you did it, and we'll let you walk. Otherwise we'll get the police involved."

Handed over my laptop, the IT guy managed to play some Rammstein accidentally but otherwise found nothing of note. I was banned from bringing, touching, or even being near a computer, my assigned seating was moved in all classes directly to the front, and that was that.

Kept in touch with a few of the tech-interested Freshman I knew during my Senior year, nothing was ever patched, nothing changed over the ensuing years. The exact same exploits I informed them of were not touched.

There is simply no culture of accountability.

I remember in college they had some data cap on our dorm internet. Just getting a Windows update could block you out for a while or completely. Well I got tired of it and for some reason looked up how to change my Mac address. I'm not sure how I figured it out but I realized that changing my Mac address would regain me access..

What I didn't know is that I would pick a random address that would knock off one of the higher ups net. Let me tell you, they did not like that one bit.

I came back one day to my room mate saying that they raided my room trying to get into my pc. I ended up walking into the Dean's office of student Life and ended up explaining how I got back online. The head of IT didn't believe me saying you couldn't change your IP by changing your Mac address let alone that changing your Mac address was even possible. I didn't even bother trying to prove it. Mind you they also printed out like 200 pages of IRC logs.. I kept that open all day while in class so who knows what it captured.

In the end I got the Kevin Mitnick treatment and they prevented me from using my dorm net as well as any campus PC. I just got a long cat 5 cable and ran it into the other room. What was odd was they were ok with letting me do my work study which gave me access to the school website. I guess they rather let me do that then fool around with other stuff.

Fun times.

Being a "high school hacker" myself, I'd like to offer a slightly less dreary perspective.

Some time back, I found multiple critical vulnerabilities in the most used school database system in the Czech Republic. The whole software is a mishmash of native Windows apps in Delphi and Visual FoxPro and an ASP.NET web interface built in a combination of VB, C# and WebForms. The desktop apps access MS SQL Server directly and security seems to have been done by a very uninformed person (the functionality is only a little better).

I first told my school's network admin, who contacted the developers, who fixed the issues relatively quickly. Everything went relatively smoothly for me, but I know this depends mainly on the individual people involved.

When I was in high school my teacher actually proudly introduced me to the makers of the software they were using. They immediately dismissed it as known limitation not a bug. It allowed us to run arbitrary applications/code in their Kiosk application.

In university where they still had HPUX I asked the IT department if I could get printer credits in exchange for exploits I report and he immediately got angry saying I should be proud to report them.

Needless to say I ended up not reporting anything and just keeping them to myself. Thinking back I guess reporting it somewhere(maybe not in school) could have gotten me more opportunities, but who knows. I kinda wish there was some sort of mechanism to push people to make something out of their talents instead of suffocating them.

I wasn't trying to be dreary so much as point out that entire school districts simply don't care about security one bit, even after being pwned.

There's no incentive for one to give a damn, and we can't rely on good IT to be present in any given organization.

I got past the network drive quotas on accident in highschool and got my computer privileges taken away for a couple weeks. I still had computer classes that I needed to do work in but the admin didn't care. I already knew the local admin account password, all the same for every school computer, so I used that until he reinstated my AD account.

“Accountability for thee, not so much for me”

Having written this story out, my inner conspiracy-theorist wonders if they kept it quiet because they were worried I might've stumbled onto something they didn't want the world to know, perhaps some type of financial mismanagement.

To contrast I was arrested and sent to county jail, charged as an adult on a "distrubing the peace" style charge, by the same school for telling an administrator, in-private, to fuck off in response to a punishment levied without being told what I had actually done.

Schools, eh?

> Schools, eh?

The lesson that many in positions of authority are petty-minded fools is a valuable part of your education.

These security vulnerabilities are there to educate the next generation. So they could experience the incredulity of finding out how fragile are the computer systems. Don't rob the next generation of experiences :)

Appreciate you sharing your perspective. I remember a friend of mine in middle/high school would load games onto the schools networked drives. It seems IT played the games too because they never did anything about it.

One of my buddies did that, hid a half-dozen copies of Counter-Strike. IT took a few down, more would pop up.

Senior year they got some software that would allow a teacher to monitor all classroom computer screens thus precluding our being able to play anymore. So the same buddy of mine behind the Counter-Strike copies made a wallpaper that was a screenshot of all kinds of infosec tools, WireShark, MetaSploit, etc.

They didn't like that one either.

That’s amazing. Reminds of a personal finance class I took where we played a stock trading simulation based on prices from the actual market. One of my friends edited the HTML on the games page to make it look like he made millions. Teacher almost bought that one.

Were the private financial data you were able to poke around at also not patched up? Since that seems to be in their selfish interest to fix.

As far as I'm aware they were mostly spreadsheets just sitting on the file-system. Given that all of the exploits were still available, including gaining local superuser accounts I would assume not.

Who knows, maybe they were just running a honey-pot pretending and pretending to be outraged.

"Is this just a case of ‘Nobody ever got fired for choosing Blackboard’?"

Sadly I believe it is. My school recently moved off Blackboard for Canvas after at least ten years. While some teachers were relieved to move to a more modern system that supposedly offers them a better experience (it certainly offers students a better experience), many teachers rejected it as they did not want to learn a new system. My older instructors hardly ever post to Canvas besides updating grades saying they just don't want to learn it.

Luckily for whoever setup Canvas at our school I don't think they will get fired over it, but the resistance from staff makes me understand why other schools would feel hesitant to switch off Blackboard.

We are moving to MOOC. We (sysops) are very pleased. Everyone else not so much.

I think this is a space where concerned parents with technical knowledge can help, not by hacking, but by asking for documentation like proof of security audits from their local school board. It’ll up the pressure on vendors to get their act together.

Interesting to see this come up. About 2 years ago I found a similar exploit in blackboard (XSS that could lead to session hijacking) and found that there was absolutely no way to report the vulnerability except through their help-and-support chat.

After reporting it, they thanked me and said they would be in touch when they addressed it. I never heard from them again, and it seems they didn't take security much more seriously.

Had a similar issue with Southwest Airlines a while back. I wound up emailing a VP directly with screenshots and repro steps by looking up other SW email addresses to figure out their work email format, and then getting the VP's name from LinkedIn.

The VP responded pretty quickly, forwarded my email on his people, and I wound up getting some free miles.

I was kinda surprised to learn how easy it is to get most corporate email addresses through this experience.

The public disclosure part is really important as it's basically the main stick forcing companies to actually fix things in a timely manner in any case where there's not a direct threat of financial loss to the company.

I once reported a similar XSS session hijacking bug in the LMS our district used in highschool. The response? Something along the lines of "hmm, maybe you just shouldn't do that"

> But Gatsis also claimed that even with the security flaws he exploited, Demirkapi could never have accessed Follett data other than his own. Demirkapi counters that he "100 percent had access to other people’s data," and says he even showed Follett's engineers the password of the friend who had let him access his information.

So - someone is lying. Isn't lying about the extent of a security breach a fairly serious matter? Blackboard operates in the EU. Is the disclosure portion of the GDPR retroactive?

Of course - I'm not making any presumptions about which of the two parties is a liar!

Have you ever seen or used Blackboard? It's probably the worst "large" software system I've used outside of something built within an enterprise.

Blackboard is awful. When I was at uni, I actually wrote a scraper to auto-download my course content so I didn't have to use the Blackboard UI. It's upwards of £100k/year too. Definitely a market ripe for a competitor!

My university switched to something called Canvas (right after I graduated, of course) and it's incredibly slick, on top of it being fully OSS. Sakai is out there too — the quality isn't much better than Blackboard but at least it's free!



My school transitioned to Canvas from Sakai, it was like night and day in usability. I used Blackboard in highschool so even Sakai offered a major increase in usability.

Sakai and Canvas seem easy enough to setup that I can't imagine Blackboard can continue making money for much longer.

There's another system called LON-CAPA (written in Perl) that seems ancient compared the other competing systems. It was very easy to use and "just worked" but it felt like it was straight out of the Web 1.0 era.

I think most of the universities in California have been switching to Canvas. I also use Moodle, which is also FLOSS; personally I strongly prefer the UX to Canvas, but it may be less enterprise-y.

The awful UI and pervasive install base shows that Blackboard's fitness in the market is not tied to their UI or other tech decisions. Building a successful competitor to Blackboard is not predicated on your ability to design a prettier, faster, more usable interface or a simpler, more powerful feature set. It's 100% based on your ability to do enterprise sales to universities.

In the early 00's I developed a test LMS (SCORM) for courseware the company I was working for at the time was building... only because all the LMS software was a convoluted mess.

That test LMS became the LMS for a few major airlines and a large fortune 50 company (uplifted through a few software shifts). It lasted for more than a decade before being replaced by an "Enterprise" solution, I think it was Blackboard (took 2 years to get it setup right, and people in the know still don't like it.

Changing from Blackboard is a lot of work, and the replacement isn't guaranteed to be better (although while you're using Blackboard it does seem that any replacement at all would be better).

Blackboard has a lot of useful features built up over the years, and they're not all bugs.

Just because the incumbent lacks finesse doesn't mean you can 'eat their lunch' without having better features or a better UI.

People need a reason to change the software they use; when it means retraining a district full of teachers then the reason needs to be good.

It's not just a bad UI, it's also extremely buggy.

The problem is that the market is next to impossible to get into. They're like Photoshop - they've got an army of people trained in using their super complex UI. It's the de facto standard in the market; they've built a massive moat which will be extremely hard to get past.

A better product may be necessary, but it's definitely not sufficient.


Sometimes, unfortunately, you can get away with a worse product and better marketing!

And honestly, blackboard got worse over the years! They got a UI overhaul a couple of years ago and I hardly recognize it. But it seems like everything is harder to find than it used to be.

Back when I was a SE student, we wrote an application for our university that students could use to access their examination schedules without having to look through the Blackboard calendar.

Which was so much better, because you did not have to log in and it was faster than going through Blackboard's UI...

I think Rutgers in NJ used Sakai. As well as some other schools. It’s not much better but it’s far cheaper.

Canvas is the new kid on the block. Even Canvas has issues though so it’s great as a replacement for Blackboard, but there’s still plenty more that can be disrupted and improved.

When I was at school they were using Moodle. And I gotta say Moodle was very solid. The UI wasn't terrible and everything worked.

But the big plus: Open Source and completely free to self-host

Except they have patents on 'e-learning'.

So it’s the worst software system short of 90% of the other stuff you’ve seen?

I'd assume they meant "built within an enterprise" in terms of internal tooling.

It's possible he got read-only access while they're saying he wouldn't have gotten read/write access.

My highschool's records were similarly unsecured - I got a surprising amount of read-only access (including how much money was on students' IDs for lunch), but couldn't change anything.

Now consider that for 10 years, minimum, these exploits have been known and easily discovered... enabling enough private data of high school students anywhere these applications were used to manipulate the students and/or more easily social engineer accounts at other institutions. The information gained undoubtedly contained social security numbers, parents full names and so on - the exact verification information used to "recover" lost passwords at locations not yet supporting multi-factor authentication.

I'm surprised they didn't go Aaron Swartz on him.

My school has blackboard for awhile now, I've always suspected it to be vulnerable but never really tested it. Particularly, you can make forum posts and view/edit the HTML that the WYSIWYG editor creates. This always made me feel like there's probably an XSS vulnerability there

10-15 years ago you would keep things like this quiet and maybe share it with your closest friends. Now it's like everyone is scrambling to show how "good" they are. Something has changed, and I'm not so sure if it's for the better...

How is disclosing critical security vulnerabilities responsibly a bad thing, again?

Would also like someone to perhaps chime in too...

In the "good" old days (some of us will recall mind you), those in power ($) controlled all information flow. We now have (though not as strong as I would like it) outlets in which an individual, without corp sponsorship, can have their voice hosted and maybe heard. This is a vast improvement.

To those wondering what I meant, I've heard the saying goes like this: "those who work in a noose-making factory should be wise to not make them too strong, lest they find themselves with one around their necks." It's not directly applicable to this instance, but more aimed towards those who are literally helping companies strengthen their walled-garden control.

those in power ($) controlled all information flow.

...replace '$' with 'knowledge (of bugs, etc.)' and that would be more accurate.

> 10-15 years ago you would keep things like this quiet and maybe share it with your closest friends.

He presented his findings at Defcon, pretty standard operating procedure these days. Instead of pretending bugs are rare and hard to find we're becoming more accepting that bugs will be found and allowing people to responsibly disclosing them is the best way so far.

> Now it's like everyone is scrambling to show how "good" they are.

Regardless of their motives, their (responsible) disclosures generally benefit the users of the software. Also, it's work and seems fair to compensate them. Some of these bugs are not shallow and it takes a remarkable amount of patience and talent to find them, so in some cases they really are good and deserve some recognition.

How would sharing things that make the world better not be for the better?

Just maybe he wanted to help rectify the situation and not go to prison?

> Something has changed

It's like everyone is looking for approval, and in more public settings.

People are motivated by things like this, to do more and to achieve more. I am perfectly ok with people seeking attention for things they did to better the world. The opposite, not so much.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact