Posted on August 10, 2019 at 11:34 PM
School Hacking Is Still a Thing: Bored, Cybersecurity-Loving Teen Reveals How He Got Access to Millions of Student Records
The idea of the bored teenager who ends up hacking his high school in order to affect his grades seems to still be hanging on, according to recent reports. Most of the noteworthy hacking today is being done by government agencies and rogue groups which tend to move against massive corporations. With a situation like that, there might be something refreshing in knowing that people are still hacking schools just to fix a few grades. However, this also shows just how vulnerable the security of schools still is.
Only a few days ago, an 18-year-old going by the name of Bill Demirkapi attended the Defcon hacker conference in Las Vegas. On occasion, the teenage hacker presented the results of his three-year-old hacking attack that started all the way back when he was only a freshman in his high school.
Back then, he started looking into web interfaces of two pieces of software that were sold by different companies — Follett and Blackboard. The software was used by his school, and while studying it, he found two bugs that allowed him access to the data of pretty much all students.
Demirkapi claims to have found up to 5 million records, and not only student records, but teachers’ data as well. The records included everything, from grades, cafeteria balance, hashed passwords, immunization data, all kinds of schedules, photos, and more. The 18-year-old hacker points out that he was only 16 when he stumbled upon the bugs. He says that if he could do it, there is no reason why professional state-sponsored hackers wouldn’t be able to do the same.
Demirkapi openly admitted that he managed to access pretty much everything that the school had. He notes that the state of education software’s cybersecurity is extremely bad and that the situation is even worse due to the fact that nobody pays any attention to it.
School software had critical bugs
As far as it is known right now, Demirkapi seems to have identified an entire series of relatively common web bugs in Follett’s Student Information System and Blackboard’s Community Engagement software. One of them is known as SQL-injection, in addition to cross-site-scripting flaws.
These bugs allowed him to access a database that held 24 data categories in Blackboard’s case. As mentioned, this included pretty much anything, from discipline records to phone numbers, data regarding attendance, bus routes, and more. Even worse, the data seemingly included 5,000 schools, and 5 million individuals, in total.
As for Follett’s software, the young hacker claims to have located vulnerabilities that allow access to other types of data, including grade point average, suspensions, special education status, and even passwords. However, this time, the passwords were completely unencrypted and fully readable.
Demirkapi also says that he was exploring hacking for about two years by the time when he accessed Follett’s software and that he was somewhat better informed of the legal danger of his actions by the time he hacked this system. As a result, he claims that he only checked his own data, as well as that of a friend who permitted him to do so. He only did it to confirm that bugs could provide access to the data collected by the school, and he did not explore further than that so that he would not break the laws against Computer Fraud, Abuse Act, and alike.
Meanwhile, George Gatsis, Follett’s senior VP of technology, expressed gratitude to Demirkapi for revealing the bugs, although he says that they were all fixed back in July 2018. However, Gatsis also claims that Demirkapi would not be able to access data of other people, even if he took full advantage of the flaws that he uncovered. Demirkapi, on the other hand, claims that he did have full access to other people’s data, proving his point by showing Follett’s developers the password of the friend who allowed him to access his data.
As for Blackboard, the company also expressed its thanks to Demirkapi, although they claimed that no one else exploited the same bugs in order to access student and staff information. However, the company also claims that they did not find proof that anyone — including Demirkapi — ever accessed data of others within the system.
Teen hacker’s warnings were completely ignored
When asked why he explored the two firms’ software, Demirkapi said that he was inspired by the combination of ambition to learn about cybersecurity and hacking, and teenage boredom. He stressed that he never actually tried to change anyone’s grades and that doing so would have required a deeper level of access than the one he reached.
He did admit, however, that he exploited the flaws in a college admission software in order to change his status to ‘accepted.’ However, the college spokesperson claims that simply doing so would not have been enough for him to get admitted.
Meanwhile, he attempted to contact the two companies and expose the bugs, claiming that he had a lot of trouble with convincing the firms to take his warning seriously. He first attempted to contact Follett through an intermediary — his school’s director of technology. However, he recalls that the director stated that the firm dismissed his warnings. Later on, he tried contacting both companies via email himself. Follett ignored his email completely, while Blackboard stated that it would investigate the warning, but it had, apparently, failed to do so.
After a few months, when it became clear that neither firm is doing anything about his warnings, he exploited the software once again. He created a file that would push notification to everyone in the system, sending a single message stating ‘ Hello from Bill Demirkapi :)’ to everyone who had Follett’s app, including students, teachers, and even students’ parents.
The move did not have the result he had expected, at the time. He got suspended for two days, and he admits that it was immature to do what he did, but all other attempts to expose the flaws had failed. He finally got the firms to take him seriously in 2018, after getting help from the school district’s director of technology, as well as from Carnegie Mellon’s CERT Coordination Center.
Blackboard offered him a contract in which they state that they won’t sue him for the breach. On his part, he had to keep the flaws secret until they were mended. However, this was the second draft of the contract, and in the first one, the firm demanded that he keeps quiet about the flaw even after the fix.
Now, with the flaws fixed and the secret finally out, Demirkapi is still deeply concerned about the security of the education systems. He claims that it doesn’t seem like anyone cares about the security of schools, students, and staff, as the incentives are not particularly high. He proved his point by pointing out that neither of the two firms has a bug bounty program. They still claim that they and their software are secure and that they have regular audits. However, they do not take steps to protect their software from threats.