Bill Demirkapi, an 11th grader in Lexington, Massachusetts, had found a vulnerability in Aspen, the software his school uses to deliver students' grades, transcripts, and schedules. With this sort of access, an attacker could obtain a student's password, their birth city, details on their free or reduced lunch, and other information.
But Demirkapi didn't want to abuse the vulnerability he discovered. He wanted to do the responsible thing and let the company that makes the software, Follett Corporation, know about the issue so it can fix it and make students' personal data safer. The problem was that Follett didn't respond to Demirkapi's multiple attempts to warn them about the vulnerability. So he tried a different approach and used a feature of the software to send a message to Follett.
"Hi there bill demirkapi 123 was here. Follett Corporation has no security. Here are your cookies, no worries I didn't steal them :)," Demirkapi wrote.
Instead of his message just going to students or Follett, it blasted mobile notifications to "parents, district administrators, teachers, everyone," in this school district likely consisting of thousands of people, Demirkapi told Motherboard in a phone call. The message was removed a few hours later, and he was briefly suspended from school for the incident.
“The school wasn’t really happy about it; I can understand," Demirkapi said while presenting his research on Friday at the annual Def con hacking conference. The crowd applauded when he described his broadcasted message.
After some more roadblocks, such as Demirkapi's school telling Follett that the company couldn't talk to him, he was eventually able to disclose the vulnerabilities and they were fixed.
That vulnerability and others Demirkapi discovered in more software highlight how information security in the education sector has been overlooked, even though it impacts a massive number of people across the country, and how difficult it is to responsibly disclose vulnerabilities to education vendors.
Education information security impacts "People who can't defend themselves basically. Children," Demirkapi said.
Do you know about any other security vulnerabilities impacting schools? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
The Aspen vulnerability itself was a cross-site scripting filter bypass. Cross-site scripting is when an attacker can enter their own scripts into a website which other people then see on their computers. Plenty of websites have filters in place to strip requests so attackers have a harder time sending malicious commands. Aspen's filter didn't work effectively, though: it only removed parts of the command, leaving the malicious section intact.
Demirkapi also found multiple SQL-injection vulnerabilities in Blackboard, another piece of software made by an eponymous company and used by schools that delivers news, lunch balances, athletic details, and more. With this access, a hacker could have accessed data belonging to 5,000 schools and around 5 million students and teachers, including peoples' email address, phone number, grades, bus route, attendance, immunization records, and social media account.
"The database wasn't restricted for every school," Demirkapi said. "[An attacker would have] access to every single school that was using Blackboard Community Engagement." Demirkapi said he never accessed any student data other than his own.
The disclosure process around those problems had its own issues too. Blackboard did not respond to Demirkapi's multiple emails even though they were reading them; Demirkapi put a tracking tool inside his emails to check they had been opened. Eventually, he reached the company by contacting it through his school.
A Blackboard spokesperson told Motherboard in an emailed statement “Security of our products and our clients’ information is of the utmost importance to us. We greatly appreciate third-party researchers who use responsible disclosures to alert us of any vulnerabilities. We commend Bill Demirkapi for bringing these vulnerabilities to our attention and for striving to be part of a solution to improve our products' security and protect our client’s personal information."
"We have addressed several issues that were brought to our attention by Mr. Demirkapi and have no indication that these vulnerabilities were exploited or that any clients’ personal information was accessed by Mr. Demirkapi or any other unauthorized party. We continuously evaluate and look for opportunities to enhance our security policies and procedures," the statement added.
Follett did not respond to a request for comment, but Demirkapi said during his talk the company was thankful for the disclosure.
Doug Levin, the founder and president of consultancy firm EdTech Strategies, said that the vulnerability disclosure process in education information security is "Quite varied, but generally speaking not great."
Jared Folkins, executive director of OpsecEdu, a group focused on campaigning for better disclosure processes around information security in education, wrote in an email "For most EdTech vendors, there is no path for disclosure and in fact, disclosing can expose the researcher to liability as we have seen researchers in OpsecEdu’s own community threatened into silence."
Now, Demirkapi will be attending the Rochester Institute of Technology this fall.
"With the goal being to find something in my school’s software, it was a fun—gamified way of teaching myself a significant amount of penetration testing. Although I started my research with the intent to learn more, I ended up finding out things were a lot worse than I expected," he writes in one of his talk slides.
Subscribe to our new cybersecurity podcast, CYBER.