#DEFCON: American Teen Exposes Flaws in School IT Systems

Aug 12, 2019 08:00 pm Cyber Security 330

#DEFCON: American Teen Exposes Flaws in School IT Systems

The challenges of government and enterprise IT security have been documented in a multitude of reports over the years, but what is the state of IT security within American schools?





At the DEF CON 27 conference in Las Vegas, 18-year-old Bill Demirkapi detailed how he discovered multiple vulnerabilities within several different software applications used in his school, including Blackboard's Community Engagement software and Follett's Student Information System. He started finding the issues when he was 16 years old and continued his research until he graduated in spring 2019.





The bugs ranged in severity and type and included SQL injection, as well as XML inclusion vulnerabilities. While the bugs varied the ultimate impact, Demirkapi said that he could have taken personally identifiable information or even changed his grades.





"I knew that there was a lot of schools using the software," Demirkapi said. "My method of finding vulnerabilities was...really inadequate and nonprofessional. It was just looking at pages and trying to mess with the parameters."





Among the simple flaws that he was able to discover was improper access control to the student information system. Demirkapi explained that most properties of the system were incremented, with a simple approach, making it easy to identify a student. Additionally he discovered a local file inclusion flaw.





He explained that when downloading their schedule or report card, users would be redirected to a servlet called toolResult.do.





< ..

Support the originator by clicking the read the rest link below.
defcon american exposes flaws school systems
Read The Rest from the original source
infosecurity-magazine.com

Related News

Be in Touch

All Rights Reserved #1 Source for Cyber Security News, Reports and Threat Intelligence
Powered By The Internet!!!!