Teen Hacks his School Software and Exposes the Data of Millions of Students

Guilo Saggon:

A teenager has uncovered numerous flaws, including SQL injection and XML inclusion vulnerabilities, within software used in his school.

18-year-old Bill Demirkapi discovered flaws in, among others, Follett’s Student Information System and Blackboard’s Community Engagement software, when he was 16, and continued his research right up to his graduation this spring.

Hacking Blackboard’s Community Engagement gave Demirkapi access to the records – from phone numbers to discipline records, bus routes and class schedules – of more than 5,000 schools and around five million students, while Follett’s Student Information System included student passwords that were unencrypted and in fully readable form.

According to Demirkapi, who gave a presentation at the DEF CON 27 conference in Las Vegas, there was nothing high tech about his way of accessing the data: “My method of finding vulnerabilities was … really inadequate and non-professional. It was just looking at pages and trying to mess with the parameters. The state of cybersecurity in education software is really bad, and not enough people are paying attention to it.”

Among what Demirkapi discovered was a local file inclusion flaw that redirected users to a servlet called toolResult.do when they downloaded their report card or schedule.