Hacker News new | past | comments | ask | show | jobs | submit login
How we hacked Blackboard and changed our grades (2018) (bustbyte.no)
155 points by got-any-grapes 27 days ago | hide | past | web | favorite | 88 comments

When I was in college around Y2K, I took a "Foundations of Music" class offered online- an elective that taught, well, foundations of music, specifically how to read music. Students had to install this janky, low-quality, Windows Visual Basic application and do 100% of the coursework using it. This VB app would output a results file, and then we had to upload it to the professor. Well, I edited the file, and found that it had a primitive CSV-like format where right answers were basically question1=1 and wrong answers were question1=0.

So theoretically, I could have just generated answer files for every single lesson for the whole semester- and a lot of them I did. BUT, I was scared that the final exam was going to be conducted on-campus, where it would be less tenable to be a dirty-rotten-cheating-scumbag.

So I actually had to learn the coursework, and learn how to read music and all its intricacies. (I do not play an instrument unless you count guitar chords.)

When the final exam came, instead of it being on-campus, the professor used the EXACT SAME VB application to run it. It took me about 5 minutes and I scored a 100% on it thanks to notepad.exe.

There's a moral to this story somewhere. I use notepad.exe a lot more these days than I read music, so perhaps it was foreshadowing an IT career?

A moral of the story is that people will optimize for what's being measured, not what is intended. Machine learning does this even more so, with hilarious results.

Yup. Another example of this is when I was in college and other students would go on ratemyprofessor or look up grade distributions for different professors and class options to pick the easiest ones. The thought of, you know, actually learning something even if it was hard wasn’t even a consideration - they just wanted the GPA.

This continues in the working world as well, unfortunately. Many employees will optimize behaviors and attention to what’s most likely to get them a bonus or promotion regardless of how damaging it is to other people, users, or the company long term.

The "choosing the easy professor path" always bothered me too; I always felt that it was stupid to go to college just to get the receipt, so I purposefully didn't do the ratemyprofessor thing, though now I almost wish I had, since I ended up on academic probation and eventually dropping out...though that might have less to do with my class selection and more to do with me spending most of my time playing Minecraft, upon reflection.

I think good companies (which are incredibly rare) will figure out how to make the behaviors that get people bonuses and/or promoted coincide with the ones that are good for the company long-term. Sadly, it doesn't seem to happen that way too frequently.

I would use rate my professor to make sure that I didn't end up with an over-the-top difficult general class that I didn't really care about but needed to fulfill a requirement (Art history, public speaking, etc). That way I could optimize my study time to focus on in-major classes.

Small anecdote: I always did worse in college with professors or courses that were looked at as “easy” because I was not motivated to put in effort. Courses that were looked at as hard or professors that were rated as tough tended to make me “respect the class” and subsequently do better and learn more.

It all depends on your goal of going to college. Do you have ad-hoc self-taught and real world experience doing your major? Then you may just want a paper to show your employer. No clue about anything in your field and want to learn? Then having intense classes should be your end goal. Everyone has different reasons for attending college, at the end of the day a lot of students forget that they're only there for themselves and no one outside of their classroom will care much about what they did in it.

That's not the only thing ratemyprofessor is useful for. Everyone has different learning styles. In college I did super well learning outside of class when needed, but being able to narrow down the professors to the ones I knew would be compatible with my in-class learning style was better than nothing.

Maybe the professors who gave the best grades are the best teachers and that's why the students got better grades. If one teacher gave half of their students an A grade, and another one gave half of their students a failing grade, that doesn't sound like a problem with the students.

You don't say... https://easy-a.net/

I have a similar story. 7th grade, online science test, multiple choice and essay answers. When you click submit for the test, it shows you (in a javascript alert window) "you got X/Y correct. your essays have been submitted" and then POSTs to another page (which submits the essay). After I saw this on the first assignment, I had an idea. On the second assignment, i turned off my internet, and it still told me how many i got right and wrong, but then 404ed when it submitted my essay. So then, I modified my answers until I got them all right, plugged my internet back in, and submitted the multiple choice and essays, now with all the multiple choice answers correct.

Had a similar thing at my college. If you are trying to take a language class, you need to take an online test to examine your current level of knowledge of the language, so that they can put you in an appropriate class level (i.e., basically allowing you to test out of beginner level classes, if you have enough knowledge to take the more advanced ones). I found out that all the correct answers were basically encoded into the front-end HTML, so it looked something like "return question1.result === "XYZ". While the value of cheating on such a test is extremely dubious (you do not get any credit on your transcript for the beginner classes if you tested out of them), I thought it was interesting nonetheless.

Almost the exact same situation with a music app when I was in high school. It would record you play a piece of music and then grade how many notes you got right. It would literally just save your grade into a SQLite database that you could manipulate before uploading to your teacher.

That was probably technically wire fraud, but an interesting story no less. Not to worry, the statute of limitations is 5 years. (IANAL)

When I was in high school, the “good” PCs were locked with a boot password. Only upper level cs students could use them.

It was somewhat annoying to have to get our teacher to enter the password each time it froze etc. Partially because higher level classes were all individual study and often math classes were in progress in the same room. So it could take a while to get the teacher’s attention.

So one time some classmates switched the keyboards between two computers and handed one to the teacher to enter the password.

As the characters appeared in plaintext, another student typed the characters into the boot screen as fast as possible.

The boot password was passed down as a secret between juniors and seniors for years.

Hahaha, this is genius. I love the inventiveness of the low-tech keylogger here.

This is very similar to how MFA bypasses are done now. The user will be tricked into viewing a site that looks like the correct one to input the MFA code but it will instead be captured and relayed through an attacker controlled connection.

In high school, I wrote a program that drew a realistic picture of our login screen, with two real inputs for username and password. No matter what you typed in those boxes, my program would save it to a text file in my home directory, and then log me out, which would instantly display the real login prompt.

I didn't have any real reason to steal everyone's credentials including the teacher's, but it was fun. And I would have gotten away with it, if I wasn't storing the output in a file called stolen_passwords.txt!

I got busted, and the teacher said I could either take 23 saturday detentions, or help him fix the login screen so that my attack wouldn't work anymore. I made an honest effort at the latter, and he let me off.

I did something similar with the family PC a while ago- we had a wireless keyboard, and after convincing my parents to type in the password from the living room, I asked them to "log it in" from their bedroom. Notepad saved the day, and for some reason, very soon after that all the parental restrictions disappeared on my account.

I still hate Vista, though.

The best security bypasses tends to be the simplest ones!

When I was a junior, I mentioned to my housemate that I had forgot my Blackboard password. "It's just your birthday" he said, and I looked at him shocked.

30 Minutes later I was in my professor's account. Their birthday month and day were public on Facebook, so it was only a matter of guessing their age.

I reported this to our IT department and they were not pleased. They let me know they had the power to expel me but wouldn't.

A week later, I found another exploit. I think blackboard group chat allowed JS execution outright. I redirected the class to "disney.com" but never disclosed it to IT because of the earlier threats.

We used It's Learning in "high school". It had login without https at the time, and on the school wifi it was then easy to listen and get other's credentials. Some people got hold of some teachers' credentials, and tried to remove or alter some minuscule data.

One guy however, decided to sell grade-editing as a service to others. Of course it was noticed by the school, and it became a big deal with police involved and everything. Happy ending, though, the two people I know that was involved got master's in compsci a few years later.

Must've been fixed. My school used It's Learning for a while until this year, and it was fairly secure. HSTS of course.

Yes, this was 10 years ago. I may even misremember, maybe it was a unsecured single sign on in front or something where the fault actually was.

Did this happen to go down in Florida?

I have and forever will find it extremely stupid to threaten someone with expelling them for trying to HELP you do your job.

Having worked for a public school district, it is my experience that things almost never go down as parent said. What actually happens is that they get caught and make an excuse (I was about to report it!) or their "report" of the problem is in the form of some leet-speak shit-talk on a public message board. A common theme you'll notice when people describe these events, even from their own perspective, is how they absolutely did change something, deface the page, etc.

School (the institution) is not about learning. School (the institution) is about conformity. And finding exploits is anything BUT conformity.

It should be about learning. I think finding exploits should be encouraged and rewarded.


Perhaps in some places, but not everywhere.

I got in-school suspension for the last 1/3 of senior year in HS because I took screenshots of a shared network directory permissions problem.

Me too, but unfortunately it's standard idiocy both in schools and in large companies. Whether you're a curious student or a white-hat pentester, it's still the case that if you find something and say something, you're treated as if you were the danger.

“I reported this to our IT department and they were not pleased. They let me know they had the power to expel me but wouldn't.”

This response is grounds for immediate dismissal of the IT person in my view.

By parent's own admission they actually did break into their professor's account. The fact that they reported it did not exonerate them from that act, but did at least get them off with a warning.

The first response should be to be horrified about their own system and fix it quickly. Such a simple hack shouldn’t be possible.

For the most part people in IT departments aren't stupid, they know precisely how crap the software they're stuck using is, they just don't have any real input on the decision process. Blackboard, for instance, is notoriously awful but is everywhere in schools. This often applies to policies as well, unfortunately.

True, but it is nice to have some customer (student) verification of how crappy it is. It helps with future negotiations. Plus, wanting students to trust the IT department is not their enemy is the basis of a good security experience when we notice something about a student's laptop or other device.

I agree but they still. shouldn’t threaten people who show these hacks with expulsion. The real bad guys will do their thing without telling anybody and you can assume that this is going on

You're way cooler than me. I just injected rainbow css banners into my BB posts. I was too scared to try anything else.

I like this so much better because it beautifully demonstrates the problem without cluing anyone else in that there is an exploit unless they care to look at how you're injecting the rainbow CSS banner. And if anyone tells you to stop doing it you can just explain that you thought it was an intentional feature that just wasn't very well documented.

I once wrote a memory resident keylogger back in high-school to catch the lonely sysadmin's network login. Not that I knew what to do with the login, I just wanted to prove to myself that I could.

I got plenty of logins, but not the one I wanted. Until a friend looked over the sysadmin's shoulder. I lost interest right there, but my friend went on to wreck the entire network by mistake and barely escaped paying for the whole mess.

Have to give some credit to the sysadmin for the catch. To figure out who was messing with his stuff, he put a program that emitted a high frequency tone through the PC-speaker in his login script and sat down next door to wait for my friend to take the bait.

When I was a high school sophomore, Blackboard allowed you to customize your student homepage with widgets, one of which was a "notes" widget which allowed you to save random strings which would be displayed on your page next time you loaded it. Fortunately, if you saved arbitrary html, it would be rendered so we embedded flash games for us to play during classes which allowed computer use.

Years ago I had an internship, in the lab there was a couple airgapped PCs with some confidential stuff on them, at least above my pay grade of $0. I was bored and tried logging with admin/admin and it worked, basically giving me root level access. I reported it, IT security interviewed me and I wasn't allowed near the PCs for the remainder of my internship.

Seems like their punishment should have redirected at themselves.

Seems to be no mention of a bug bounty (or a thank you email), despite the severity of the bug and its cleverness.


> 02/27: Attended conference call with Blackboard and NTNU to explain exploit

> Blackboard stopped responding to our e-mails 02/28.

If they were American they would probably be in prison now.

We had another case in Bergen (Norway) where some 13 year old kid wrote a script to search files on school HD for things like usernames, etc.

To his big surprise, he found his own. On a spreadsheet, with usernames and passwords of 35000 others, in clear text

Turns out students had credentials to such places.

He tipped the school, who in turn called the cops on him. Cops went to his home and confiscated his computer.

Well I'd say that student got a lesson that years of schooling could never provide!

I don't understand this comment. Blackboard has headquarters in Washington D.C.

Those who hacked it (TFA) were not.

Author here. Actually, we were in California when all of this went down. Total coincidence.

Ok, I might be a little out of date with my web development knowledge, but my first question would not be about the origin but about the embedding itself. The user's input is rendered in the web frontend of blackboard? Why?

And second, how did they actually exploit it? Presumably the authentication works by some kind of token, right? Is the client js generally allowed to perform http requests outside of the origin domain? If not how did they hijack the authentication?

The student's input is rendered for teachers to make it easier to grade submissions without opening them in an external tool.

As someone who used blackboard in college I can tell you it's a mess. Neither teachers nor students like it. It integrates with a ton of 3rd party libraries to be "helpful" by embedding content like this but ends up with a ton of different, inconsistent and often broken experiences.

And they're extremely litigious on IP matters which makes competing with them a nightmare.

> my first question would not be about the origin but about the embedding itself. The user's input is rendered in the web frontend of blackboard? Why?

I think Blackboard sees this as a convenience feature, i.e. students submit assignments as, say, PDF documents and they can be viewed directly within Blackboard without the extra steps of downloading. Just silly that it works with anything that can interact with web API, but maybe that was requested specifically?

> Is the client js generally allowed to perform http requests outside of the origin domain?

EDIT: By default, yes, but I'm not sure what restrictions can be applied. (I'm misremembering how CORS even works so I took out my previous paragraph.)

In any case, Blackboard probably provided other tools they could use within the domain as well. For example they could probably trigger some sort of user-to-user private messaging and send the token in the body.

yes, client js can make requests outside of the domain as long as the recipient domain allows it with CORS headers.

My freshman year of high school, some seniors got in trouble for changing their grades (I'm almost positive we used Blackboard). Ironically, the kids who did this were all excellent students and the modifications were things like "A- is now an A". The teachers talked about the kids being hackers and that recording grades in software wasn't safe because it meant hackers could always get an A.

Turned out, there was an admin account (u/p: admin/admin or something equally trivial to guess) with superuser access that someone learned.

A while back I looked into blackboard and did some light black box security testing on a demo app. From what I remember it was like Swiss cheese. Ultimately I stopped looking because they didn’t seem too interested. Some of the good ones I found were arbitrary file I/O issues, a few IDOR related problems as well. None of this surprises me.

The funnest school computer exploit I figured out was how to run a game from a USB drive (circa 2007).

I was in an accounting class (using excel) and I tended to finish the earliest with our in-class work because of judicious use of formulas and copy-paste (instead of entering data twice for the two-ledger stuff).

The computers were set to disallow running unapproved programs, but I figured out that you could launch an executable from within a zip file (the computers ran XP IIRC). The only thing left to do was to configure the game at home (before zipping it up) to save files, look for other config, etc. from the the drive letter the thumbdrive would be mounted at at school because it of course couldn't save the updated settings to the zip file.

I had a good teacher - he let me sit at the back, and I just kept the volume down :)

I remember when I was a teenager in high school, I found out that ftp.<my_school_district>.net was open, with the login of "admin" and password of "admin".

I wasn't able to figure out how to change my grades (and I would like to think that I wouldn't have even if I could have), but I did find a directory of all their registered software that I was able to download, and the teachers' profile pages were editable. If I recall, I think I edited the profile of one teacher (that I was reasonably certain wouldn't get me in trouble if I got caught) to end with "Mr. <Teacher's Name> is a goofball".

I think the most maddening thing you could do in that scenario without being malicious would be to just log in periodically, pick a teacher at random, and "corrupt" their name randomly. Switch two letters, insert random symbols and numbers, etc. Don't make the names insulting or anything, just make a subtle, visible, slowly progressive 'bug'.

Assuming it isn't ignored, you can smile to yourself years later at the thought that there is a bug report open somewhere that a poor engineer has probably spent weeks trying to reproduce.

I didn't really want to make anyone's life miserable; I'll admit that the thing I wanted most was to be able to do what Matthew Broderick did in WarGames and change grades, though as stated I at least told myself I wouldn't actually go through with it.

When I was in HS, it was GradeQuick, and my teacher typed his password in front of the whole class on an on-screen keyboard of his tablet projected on the wall. I tested the password out, but didn't change anything.

This seems to require a lot of trial-and-error. How did they do it? Did they send tons of crappy content to their teacher before finding the vulnerability that passed the filter?

From the video it seems they had instructor's access.

But in the real life they could save a draft and view it a student to see if they can hijack the session.

Another perhaps lesson - if security really matters - perhaps instructors and students should have completely different decoupled apps to do the job. (security through obscurity)

We need more stories like this :) Break the system, demonstrate how it's done, and let it improve itself. White-hat hacking, isn't it?

Changing your grades may look like a thrill now but in the long run you're only screwing yourselves.

Yeah earning that A in Sociology 101 really changed my life's trajectory.

If you earned that grade honestly a few ideas may stay with you for your entire life and that may change your life, even if imperceptibly. Anything you study has the potential to make you a better, more well rounded, knowledgeable and less ignorant person.

> Anything you study has the potential to make you a better, more well rounded, knowledgeable and less ignorant person.

This is a pretty meaningless sentiment. There are plenty of things one can study that will lead to more ignorance and less well-roundedness. In the extreme, this is pretty much how cults can operate. I believe it also applies to a number of subjects in mainstream universities, but I am not going to hop into that fire pit.

You already did. Why not choose the right university/curriculum that you're interested in? Or you have a problem with most of them?

No I did not.

It's a university.. there are a broad array of departments and courses, and I am saying that a handful of them at a multitude of universities have the potential to close minds and lead to more ignorance - this broad statement isn't too controversial - witnessed by the very vocal debate about it. I am not going to jump into the pit of the specifics of that debate though.

Exercising your ability to sit down and Just Do It instead of giving into shortcut temptations probably did change your life trajectory over the years.

Also, seems like a weird bar. I doubt any single class "changed your life trajectory." Why would it need to? I could say that about very few things in life.

But I get it, liberal arts bad, STEM good.

> Exercising your ability to sit down and Just Do It

Have you considered the possibility that he's a highly motivated person who simply has a more creative "It" in mind?

Since they told the IT department, I assume their grades were changed back.

They did it to show they could, I guess.

I don't follow could you explain?

The theory of higher education and a liberal arts degree, is what I'm assuming OP is talking about.

The idea of a liberal arts degree at a university is to create a well-rounded individual. The idea of taking classes outside your major is to learn about life. The idea of even going to college (which is ENTIRELY optional) is to learn. Not just to pass classes and get an A.

This is something that, traditionally, CS and Engineering students like to shit on - as an example, see the other post about Sociology being useless.

The thing is, there are boot camps and trade schools to learn job skills. People are now attending University and complaining about the 'gen ed' courses in their degree because they're not "useful for my future". This is meant to be "not job skills directly connected to what I think I want to grow up to be".

They aren't supposed to get you a job. They're not job skills programs. They're liberal arts programs. They're supposed to make you into a fully realized human. Those other general courses exist because many students enter college not knowing what their passions are, right or wrong.

Source: My career in higher education. One thing has been constant in the decades that I've worked in this field - Engineering and CS students complain about and shit on the 'gen. ed' classes more than any other major. They also don't like hearing that they can just go to trade school or a boot camp if they just want job skills training; which makes no sense to me - trade school is cheaper, and boot camps are shorter in duration.

"trade school is cheaper, and boot camps are shorter in duration."

Right now, they are quite inferior. Not because they are necessarily bad, but just, they don't last long enough to cover what a computer science education does. (Being in mind I am aware that "computer science" and "programming" aren't even really the same thing.) I think, without judging it good or bad, if something could fill in the gulf between the 4-year rounded degree and its computer programming content and the 8-week bootcamp a lot of people would be interested in it, but there's a lot of activation energy required there.

When I took computer science 20 years ago, it was only marginally related to "programming", and it has gotten much worse since then, because "programming" hasn't exactly changed but all the stuff around it has. "Deploying" used to be copying over the directory full of .ASP or .PHP files and maybe restarting the server, not committing to source control, handling a PR, running through CI, open source compliance analysis, and sundry other automated things, to be package up to something that we use devops tools to manage deploying, etc. etc. I'd love a new graduate who came to me with enough programming skills to prove they can do it, but knew source control, monitoring, basic commit hygiene, and the dozen other skills you need to have nowadays to get anything released to the public. You'll learn none of that in college.

And I'm not even saying you necessarily "should". But you definitely don't.

> The idea of a liberal arts degree at a university is to create a well-rounded individual.

That was the original idea, yes. That does not mean that actual liberal arts degrees today at actual universities actually come anywhere close to doing that. For one thing, under that original idea, science was one of the liberal arts, and anyone who expected to be considered well rounded had to study it. How many liberal arts programs include any kind of serious exposure to science?

> see the other post about Sociology being useless

To the degree that it claims to be a science, I would argue that it probably is. It has basically no predictive power.

I appreciate your perspective.

Why should teenagers receive federally subsidized loans in the tens to hundreds of thousands of dollars—not dischargable even in bankruptcy—to receive such a degree? How is that a wise financial decision for a normal person rather than merely an amusing hobby for the hereditary rich?

What's the point of going to school then if not to expose you to things and make you a better, more knowledgeable, well rounded person? If only grades matter then you can buy a fake diploma and you're done with it.

You may be aware that you don't need to go to college in order to be a software developer/hacker. But if you decide to do that then what's the point in faking the grades?

> What's the point of going to school then if not to expose you to things and make you a better, more knowledgeable, well rounded person?

To get the really expensive piece of paper that lets you through the HR gatekeeping.

Unfortunately, there truly isn't a point to many of the things we do in education, especially at the college level.

I went to college because I wanted to get a job as a high paid software engineer.

And although many of the class that I took, did indeed help me with this goal, many of them that I had to take did not.

It would have been awesome if I could have replaced some of my required classes that weren't particularly useful, with more focused ones on web development, and industry related.

If grades don't matter, why did you show up for the exam?

They quite clearly said that it's not just grades that matter. Also, you'd show up to the exam so you don't suffer the university's consequences like academic probation and scholarship forfeiture, even if you were somehow "anti grade," whatever specious mindset you are envisioning.

Besides, I don't think anyone making their point would suggest that you shouldn't try to make good grades, which involves learning a subject well enough, including doing the boring work, to get a good mark.

I agree with them. If grades are the only thing you care about such that you'd be fine with paying an insider for a diploma without doing the work, then I'd say you wasted the entirely opportunity and only exercised your ability to cheat and be dishonest.

I've seen a lot of jobs where the basic role was to circumvent laws/regulations and otherwise get past obstacles. Using zoning regulations and court maneouvers to block competitors from developing businesses, lobbying for certain laws and exemptions, etc.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact