Are Your Childs Records at Risk? The Current State of School
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 335 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/48439 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Information securityElectric currentSoftwarePenetrationstestSoftware testingGradientDifferent (Kate Ryan album)SoftwareWeb applicationCartesian coordinate systemComputer animation
01:11
GradientSoftwareStudent's t-distributionGradientSoftwareInformationType theoryDifferent (Kate Ryan album)Student's t-distributionLevel (video gaming)BitComputer animation
01:43
Blackboard systemWebsiteSoftwareVulnerability (computing)MereologyVulnerability (computing)2 (number)SoftwareBlackboard systemEntire functionComputer animation
02:42
Data managementVulnerability (computing)SoftwareCommitment schemeEvent horizonRepeating decimalBlackboard systemProduct (business)1 (number)Software testingLevel (video gaming)QuicksortBlackboard systemSoftware bugMultiplication signExpected valueTraffic reportingComputer animation
03:23
outputDigital filterContinuous trackComputer wormParameter (computer programming)Student's t-distributionProxy serverScripting languageString (computer science)Component-based software engineeringWebsiteSpiralPenetrationstestVulnerability (computing)ZugriffskontrolleLimit of a functionObject (grammar)Spring (hydrology)Software frameworkJava appletStrutSimilarity (geometry)Information securityData modelContent (media)Category of beingStudent's t-testCore dumpPasswordSuspension (chemistry)NumberFamilyServer (computing)Sample (statistics)Inclusion mapSystemdateiPhysical systemCategory of beingStudent's t-testObject (grammar)Utility softwareVulnerability (computing)Cross-site scriptingScripting languageForm (programming)InformationInclusion mapString (computer science)Instance (computer science)Parameter (computer programming)Server (computing)Limit of a functionNumberState diagramIntrusion detection systemException handlingDegree (graph theory)Group actionSoftware frameworkComputer fileSpring (hydrology)Computer wormContent (media)ParsingMereologyJava appletRange (statistics)PredictabilityNeuroinformatikGame controllerInformation securityStudent's t-distributionError messageFamilyType theoryData flow diagramComputer scienceMultiplication signSocial classMessage passingoutputField (computer science)Student information systemPasswordConnectivity (graph theory)SoftwareComputer animation
10:18
Message passingError messageContent (media)Exception handlingInclusion mapLetterpress printingComputer fileServer (computing)Message passingFile systemCore dumpDependent and independent variablesInstance (computer science)Firewall (computing)Utility softwareContent (media)Remote procedure callParsingComputer animation
11:19
Physical systemBroadcast programmingVulnerability (computing)PlastikkarteParameter (computer programming)Computer fileInclusion mapLocal ringBoolean algebraWeb pageBlackboard systemRevision controlError messageInformationUniform resource locatorData managementPasswordVulnerability (computing)Parameter (computer programming)CodeBlackboard systemComputer fileGradientStudent's t-testRevision controlWeb pageMultiplication signRegulärer Ausdruck <Textverarbeitung>Local ringResultantRemote procedure callBitFerry CorstenBinary fileServer (computing)Message passingScheduling (computing)Mobile appDirectory serviceRootInclusion mapDomain nameProbability density functionEscape characterProcess (computing)Theory of relativityComputer animation
13:16
Exception handlingError messageCodeInstance (computer science)MetadataPoisson-KlammerWeb pageParameter (computer programming)Blackboard systemInformationNormal (geometry)Server (computing)Exception handlingServer (computing)CodeMetadataError messageInstance (computer science)Mobile appPoisson-KlammerSet (mathematics)Computer animation
14:05
Token ringInstance (computer science)Uniform resource locatorBlackboard systemMetadataInformationFirewall (computing)DatabaseFirewall (computing)SoftwareMobile appBlackboard systemArithmetic meanDatabaseSet (mathematics)Data managementInstance (computer science)MetadataServer (computing)Uniform resource locatorSystem administratorPasswordKey (cryptography)Service (economics)Direction (geometry)Token ringComputer animation
15:36
Inheritance (object-oriented programming)Link (knot theory)SoftwareStudent's t-testBlackboard systemInjektivitätoutputSoftware testingWebsiteScripting languageParameter (computer programming)Server (computing)Graphical user interfaceMIDIDevice driverBitError messageCross-site scriptingWeb 2.0Blackboard systemVulnerability (computing)Web pageParameter (computer programming)Chemical equationMultiplication signGraphical user interfaceGradientComputer animation
16:40
Exception handlingMessage passingInformationError messageBlackboard systemParameter (computer programming)InjektivitätUniform resource locatorError messageParameter (computer programming)Blackboard systemoutputType theoryRandomizationCodeVulnerability (computing)Information securityWebsiteUniform resource locatorMultiplication signInjektivitätBoolean algebraCASE <Informatik>Level (video gaming)Online helpAutomationGoodness of fitComputer animation
17:56
Total S.A.InjektivitätUniform resource locatorParameter (computer programming)NumberVulnerability (computing)InjektivitätSource codeParameter (computer programming)Web page2 (number)Uniform resource locatorNumberSet (mathematics)Computer animation
18:47
Vulnerability (computing)InjektivitätBackupDatabasePhysical systemInformationTable (information)Library (computing)Broadcast programmingSocial softwarePasswordGradientMetadataInjektivitätDatabase1 (number)Vulnerability (computing)Default (computer science)NumberPasswordRow (database)Student's t-distributionInformationLibrary (computing)Blackboard systemStudent's t-testRevision controlHypermediaChemical equationTable (information)Term (mathematics)Digital photographyPhysical systemArithmetic progressionGradientBus (computing)Shared memoryWeb 2.0Level (video gaming)Personal identification numberServer (computing)Service (economics)Workstation <Musikinstrument>Right angleComputer animation
21:41
DatabaseStudent's t-testInformationMetadataHash functionPasswordBoundary value problemInjektivitätStudent's t-testTable (information)NumberPasswordBoundary value problemInformationMultiplication signDatabaseVulnerability (computing)Student's t-distributionHash functionRow (database)MetadataComputer animation
22:34
MereologyGradientZugriffskontrolleLimit of a functionLocal GroupSheaf (mathematics)Digital filterProxy serverInformationLink (knot theory)Student's t-distributionHome pageGame controllerVulnerability (computing)Limit of a functionSheaf (mathematics)InformationGroup actionStudent's t-distributionProxy serverMereologyMultiplication signStudent's t-testCapability Maturity ModelShared memory10 (number)Computer animation
23:33
Capability Maturity ModelGamma functionInformation securityHTTP cookieTouchscreenGreatest elementHTTP cookieGroup actionCapability Maturity ModelXMLComputer animation
24:12
Student's t-testMessage passingMobile WebSystem administratorInheritance (object-oriented programming)Capability Maturity ModelSubsetEntire functionComputer-generated imageryTwitterVulnerability (computing)Axiom of choiceDirected setProcess (computing)Information securityCybersexEmailProbability density functionComplete metric spaceInjektivitätBlackboard systemCoordinate systemLattice (order)CybersexTwitterInformation securityInjektivitätMedical imagingRoutingVulnerability (computing)Touch typingSoftware developerDifferent (Kate Ryan album)Message passingSoftware bugDirection (geometry)Probability density functionProcess (computing)Differential equationPhysical systemEmailMultiplication signInformation privacyResponse time (technology)SoftwareInformationBlackboard systemStudent's t-testTraffic reportingSubsetSelf-organizationBitComputer animation
30:35
EmailBlackboard systemMaxima and minimaInformation securityDependent and independent variablesEmailInformation security10 (number)CausalityComputer animation
31:30
Moment (mathematics)EmailBlackboard systemInformation securityMessage passingCommitment schemeDependent and independent variablesWhiteboardEmailMoment (mathematics)Software bugReading (process)Computer programmingMultiplication signDependent and independent variablesComputer animation
32:03
Process (computing)Product (business)Information securityBlackboard systemDesign by contractEmailVulnerability (computing)Computer fontStudent's t-distributionDependent and independent variablesInformation securityDesign by contractVulnerability (computing)Statement (computer science)PressureCausalityStudent's t-testRow (database)Slide ruleBlackboard systemDefault (computer science)Computer animation
33:46
Design by contractPressureRevision controlBlackboard systemGroup actionInformation securityClient (computing)InformationVulnerability (computing)Student's t-testProcess (computing)Patch (Unix)Axiom of choiceInjektivitätEmail2 (number)Lattice (order)Blackboard systemInformation securityClient (computing)Process (computing)Inheritance (object-oriented programming)InjektivitätVulnerability (computing)Set (mathematics)InformationSlide ruleTouch typingOnline helpCoordinate systemMultiplication signPhysical systemDomain nameEmailSoftware engineeringSoftware bugDesign by contractBitMereologyStudent's t-distributionGroup actionRevision controlPatch (Unix)Computer animation
36:47
Blackboard systemVulnerability (computing)InformationInformation securityProcess (computing)Vulnerability (computing)MereologyBlackboard systemComputer animation
37:30
MereologySoftwareGroup actionInformationProduct (business)Incidence algebraElectric generatorSoftwareProduct (business)Student's t-testRegulator geneState of matterStudent's t-distributionInformationNumberIntegrated development environmentGroup actionGame controller1 (number)Inheritance (object-oriented programming)Power (physics)Computer animation
39:34
Point (geometry)Process (computing)Entire functionBlackboard systemRepresentation (politics)Process (computing)Coordinate systemTelecommunicationEntire functionRepresentation (politics)Point (geometry)2 (number)Computer animation
40:12
EmailBlogTwitterComputer animation
40:53
View (database)
Transcript: English(auto-generated)
00:00
Without further ado, you wanna get started? Sure. Alright, take it. Well thank you for coming to my talk, I appreciate it. I was kinda worried there'd only be like 2 people here, so I'm, I'm really happy that there's at least 20 people. So yeah, um, who am I? Alright,
00:20
so, my name is Bill, if you didn't know that. Uh, I turned 18 this past July. Uh, I love breaking applications, um, I graduated in a- from high school back in June, and I'll be attending RIT this fall. Woo! So what's my research about? Um, so over the past 3
00:43
years in high school, I've really wanted to look at my, uh, the different software that my school uses, uh, just because I think that it's a very valuable learning lesson, um, and I thought it was a really fun way of learning different aspects of web application testing by testing it on a real target like my own grading system. Uh, yeah, so I, I
01:11
uh, so yeah, let's quickly go over the different types of software I researched. Uh, the first piece of software I researched was the Follett Student Information System, uh, but
01:22
this usually goes by Aspen. Um, my school specifically used them for, you know, grading, schedules, transcripts, pretty much everything that my school needed to use the school's, uh, software for. Um, and my research into the Follett Corporation was primarily done, you know, maybe a little bit in 9th grade, but mostly in 10th, 11th
01:41
and 12th grade. Uh, here's a map of Follett, um, and spec, spec, specifically the schools that were, um, that were impacted by any vulnerabilities I found. Uh, so they primarily, you know, have a lot of schools in Massachusetts and Rhode Island, um, but they did have a few other schools, uh, in the United States. I just didn't think it
02:03
was, um, worth, you know, pulling up an entire map, um, just because there are so few. So, uh, the second piece of software I researched was Blackboard Community Engagement, um, and so it was advertised of being capable of delivering news, academics, launch balances, uh, thetic details. Uh, our school only used the
02:23
notifications portions of the software, but I knew pretty fast after some basic research that other schools, you know, they used the entire suite, uh, of capabilities. Uh, and the research into Blackboard was done in two parts, uh, first during 2017 to 2018, and then again near the end of 2018. So, Blackboard does have a
02:45
so-called bug bounty, um, where you can, they provide some sort of safe harbor, uh, for reporters, um, but this didn't really work out as expected. Uh, so, here's a map of the
03:03
Blackboard schools. Um, this might not look as much as Follett, but, uh, it definitely is, I think it's about 10 times the schools, uh, Follett Aspen had, so it's pretty, it's pretty prevalent in the United States. Uh, there were some schools internationally, but it was, again, only a few, so it wasn't worth putting them in the map. So, to start
03:26
off with, um, it starts with Aspen, you know, it's Follett's student information system. Uh, so, for most user supplied parameters, um, Aspen filters them for malicious input. Uh, the filter took the approach of sanitizing and removing malicious input, rather than just dropping the request as a whole. Um, so, what would
03:45
happen is, if you gave it a malicious payload, it would reflect back, um, the payload stripped, uh, of any, you know, malicious components, for example, a script tag. Uh, and then, this was an interesting opportunity because if we can find a way to bypass the filter, since the request still goes through, um, it would allow us maybe to do some
04:03
attacks. Uh, yeah, so it had a very big flaw by design. So, if you took, you know, a basic string like script prompt hello world, uh, Aspen removed, removed the script tags because they blacklisted those and just ran out prompt hello world. Uh, but the
04:21
flaw was that they only did this, you know, sanitizing run once. So, what would happen is, if I included a blacklisted tag inside of a script tag and then, you know, did prompt hello world and did the same thing with the end script, it would actually reflect back as script prompt hello world. This was a pretty simple vulnerability, I mean, cross site scripting vulnerabilities are found, you know, all the time. Uh, the
04:44
interesting part about this one was that this filter was used throughout the entire site. Uh, so if, for example, if you were able to bypass your little filter, you could pretty much reflect any XSS payload into a significant amount of parameters that were reflected into response. Uh, but also it was because this was like my first ever
05:04
vulnerability in my school's grading system and so it was really motivating to me to, you know, after finding one, it really encouraged me to look more because it just felt like, you know, when I was first starting, uh, I would never be able to find a flaw in someone, you know, with a bachelor's degree in computer software, uh, uh, computer
05:24
science. Uh, it just, you know, I kind of felt hopeless but then after finding one, it really made me motivated that, hey, if there's one mistake, maybe there's more. So, the next vulnerability was improper access control. Um, Aspen runs on a spring framework on Java, uh, and so for those uninitiated, um, their Java spring framework has
05:46
these things called beans. Uh, from what I interpreted it, it, it seemed like they were structs or classes, um, but for example, you know, students have their own bean and there's instances of that bean, um, so in Aspen, a student bean has the name of Sys
06:04
Student and I think this stands for student information system, uh, student, but, uh, the issue again was that they had a security design flaw. Uh, so they had a servlet called blobedit.do and this servlet was available for any logged in user, so including students, you know, I was able to access it myself. Uh, it took in 3 parameters. It
06:25
had a read only, whether or not you wanted to edit the blob, uh, it had an object ID specifier where you specify an object, uh, that you wanted to get the property from and then property as string is the property name you actually wanted to get. Um, and so what would happen is when you, um, you know, access this blob edit with, for example, a
06:44
Sys Student bean, uh, you could read properties of that bean and you can do this for other, uh, bean instances as well. So, when reading another student's, uh, bean instance, I was expected to be greeted by this insufficient privileges exception. Uh, I
07:01
saw it before, you know, when I was trying to do an action that I probably shouldn't be doing. It would, uh, just raise this exception saying, by the way, Bill, you, you can't do this. Uh, but when I tried it on, you know, my friend's bean instance, I was, I saw that I actually could access his properties, you know, the properties of his bean. And so, after doing some investigating, I found out that I can edit and write to my own
07:25
objects, you know, objects I own, um, and that I can read the properties of any other object, um, specifically any other student object. So, most of the properties of the Sys student bean, um, were incremental in the form of, like, STD field. Uh, it would be A
07:43
through D and then a number between 0 to 110. Uh, and so this made it really easy to just write a simple utility to dump all the fields, uh, of a bean, uh, specifically a student bean. Um, and the key thing is to remember is that if I had someone's student object ID, I could get all these properties. Uh, and the student object IDs
08:03
were, um, they're easily brute forcible, you know, it's like, I actually predicted, like, it, it's very, um, it, my personal student ID was, bean ID was STD and then 7 zeros, and then it was just MTAASN. Uh, but, you know, the unique part of that was only the
08:21
MTAASN, which is 5 characters. So, it wouldn't be that difficult to predict someone else's, um, student ID, uh, student object ID either. But, um, you know, I was able to access plain text passwords, um, my, uh, birth city, birth country, whether or not I can speak English, whether or not my family was in the military, whether or not I had, like,
08:42
financial problems and I needed, you know, uh, assistance with lunch, whether or not I was suspended, um, my special education status, my GPA. Uh, the funny part was that I could actually, uh, for my own objects, like I said, I can edit it. So, like, I can edit my own weighted GPA, which was pretty cool. And, um, so the next vulnerability was
09:06
external XML entity inclusion. Uh, so there's another server called student recent activity dot do, and it took in a parameter called preferences. Now, preferences for some reason were supplied with XML, um, I don't know why they did that, but, uh, basically,
09:21
you know, there'd be a preference set that, that would be passed in and different preferences you wanted to update. Uh, for example, one of them was a date range and it was an integer, um, and you would pass in, you know, the date range you want to see recent activity for. Um, and Aspen did use Java's sax parser to parse it, but the issue
09:41
was that, um, they didn't, again, they had a flaw by design. Uh, so in a secure system, the sax parser would actually, uh, not allow document types or, you know, XML external entities, uh, but the full corporation forgot to do so. So, I was able to send my own XML payload where I could, you know, grab file content from a system, you
10:05
know, file path, I could say like file colon slash slash slash etc slash password, um, and it would reflect back in the date range, um, what I'd be setting for the date range preference. Uh, so Aspen actually had very verbose error messages, like, whenever
10:22
you, uh, trick the server into doing something, it would, like, print out a full stack trace of what happened. So, um, it was pretty simple when, like, I inputted file content for date range, it would try to parse it as an integer, but, you know, file content's probably not gonna be just a number. And so what would happen is it would
10:41
say, hey, I can't parse this thing as an integer and end up actually reflecting the file content into response. Uh, so this was nice because, you know, I didn't have to send my data, uh, sorry, file content over to, like, a remote server, uh, which was a little bit complicated because of their internal firewall they had. Um, but, uh, you know, I
11:01
made a small utility that allowed me to dump files and I found out that the Tomcat user, you know, I had access to anything the Tomcat user had access to. And, uh, having this, you know, file system access was really dangerous for them because it seemed like a lot of instances of Aspen were running on this one server. So the next vulnerability was a pretty straightforward local file inclusion. Um, and how this
11:24
worked was whenever you, um, whenever you, uh, process the result of a tool, like a schedule tool or a grade tool, you'd be redirected to tool result dot do. And this server took in a get parameter file name and another parameter called download. So
11:41
after running a tool, so you say, like, um, uh, by, or attempting to download a file using, you know, something that was generated by a tool, you'd be redirected. And so what you could do is actually, um, use relative path escapes to escape, you know, the, the file name would be something like student schedule dot PDF. And you can do, you know,
12:00
dot dot slash dot dot slash a couple of times to get to the root directory of the server. And then you could do slash etc password. And this really well complemented the previous vulnerability because what it allowed me to do was access binary files. Uh, XXC, you know, has some trouble doing that. It, it, you can send it to remote servers, but it gets a little bit complicated there. Uh, and this
12:21
allowed me to get access to any binary files too, so it was a really neat vulnerability there to, um, complement the previous one. So transitioning to Blackboard, I found some interesting pages while doing some sub domain scans. Two of them, the app manager and M support sub domain looked interesting because I found out that they were running a little bit outdated version of Django, but nothing too serious like
12:44
critical remote code execution. But whenever I went to a page that didn't existed, I saw this neat, uh, verbose message saying that the page was not found and it also told me what other, you know, what regexes I could use to match, uh, a page, uh, on that root
13:00
directory. And so I noticed that it said at the bottom, you're seeing this because debug is set to true. Uh, so what Blackboard had done is, you know, conveniently left debug set to true on two sub domains, the app manager and M support sub domain. Um, and so when I did some research into Django debugging, it apparently turns out that leaving
13:20
this enabled is quite a serious issue because of how much Django prints out. Uh, so it turned out, you know, whenever you have an exception by code, it'll be, uh, really nice and actually print out the metadata for that code. So it would print out, you know, uh, whatever server, you know, the settings that were running for that server instance. So the way I actually caused an error by code would be by using these two
13:44
brackets and what it would do, it would tell the server, hey, I'm passing in an array. And since it was expecting, you know, not an array, just normal value, it would throw an exception because it was trying to read a value that was an array, uh, and it wasn't expecting that. And so when an exception occurred, it would print out, you know, all
14:01
the metadata and I found a lot of interesting stuff inside of that metadata. In the app manager subdomain, the metadata included the Jenkins instance URL and an active API token to this Jenkins instance. This Jenkins instance was accessible to the public, meaning that, you know, I didn't have to go through their internal firewall or network to get to
14:20
it. Uh, I had unrestricted API credentials to Blackboard community engagement. They had an API user that I think had access to pretty much all schools that were on the, um, Blackboard instance. And, um, I got admin credentials for M support subdomain and interestingly enough, I found 27 credentials to Apple's provisioning service. Uh, and,
14:41
you know, these were 27 different districts. I think, you know, the subdomain suggested that, you know, app manager, um, that these were school apps and school accounts for publishing apps to the app store. And so it was interesting to see that all this stuff just returned by metadata, uh, and the settings for the server. From the M support subdomain, I found out that the metadata included
15:04
database credentials for pretty much every database. Uh, Blackboard community engagement had admin credentials for the app manager subdomain and Jenkins credentials. Not an API key but an actual user credential. Uh, fortunately for Blackboard, the databases were behind an internal firewall so, you know, an
15:20
attacker couldn't just go and connect to it directly. But it was really interesting to see the passwords because, um, let's just say they weren't very secure. One of them was like Romania but with an at for a DA. So going on to SQL injection, um, back in April of 2017, uh, I, when I first learned that Blackboard community engagement was, uh,
15:44
used by our school. I found out that, again, it was for use for emergency notifications and when I logged in I could see that I had my cafeteria bounce on there. So, I knew that my school didn't use it at all, you know, just very small stuff, maybe some notifications or some cafeteria stuff but I, I researched a little bit
16:02
into other schools using it and I found out that a lot of schools use this as a main driver. So at the time I actually started looking at Blackboard, I think it was mid to late 10th grade. Um, it was, um, you know, I barely knew anything. I knew a little bit of SQL injection, a little bit of cross-site scripting but I was still, uh, very much a
16:21
beginner. Uh, and so I, I wanted to try to find a vulnerability on this because I knew that there was a lot of schools using this software. Uh, my method of finding vulnerabilities was, you know, really, um, inadequate and unprofessional. It was just looking at pages I saw on Chrome web tools and trying to mess with the parameters. I
16:41
saw this error message a lot but unlike Aspen, Blackboard didn't have verbose error messages so I didn't know what was going on, whether or not, you know, it was an SQL error or it was just some random code error like maybe it was expecting a, a type of input that I didn't give. But what I tried to do is, um, uh, for parameters that responded to characters commonly used in SQL injection like, I don't know, apostrophe, uh, double
17:04
quotes, um, what I tried to do is I tried to put them through SQL map. Uh, so, for the two people in here who don't know what SQL map is, um, it's basically a tool that you can use to automate SQL injection, uh, and you give it a parameter and you actually test the website for you automatically or that specific URL. You know, it won't
17:24
scan an entire website for you but it can really help you, um, exfiltrate data and find any vulnerabilities that might not be, uh, as clear to a manual injection. Um, yeah, so I was just starting in InfoSec and I barely knew anything but I actually struggled and got
17:41
an SQL injection. In this case it was Boolean based blind which actually was pretty good because, um, time based blind takes forever, you know, to exfiltrate data but Boolean based actually let me, you know, go mildly quickly with some multi-threading. So here's some very fun facts. Um, in total I found over 4 SQL injection vulnerabilities. Um,
18:03
most of these SQL injection vulnerabilities were basic blind SQL injection and parameters related to user ID numbers. One of the SQL injection vulnerabilities I found in late 2018 was on the same URL I reported and, um, and patched in early 2018. So what happened was in late 2018, um, in early 2018 what happened, I reported a page where there's a
18:25
parameter vulnerable but I, I guess I didn't look at the other parameters for that page. Uh, they patched that vulnerability but then, you know, in the second set of research late 2018, uh, I found that another parameter on the same page was vulnerable. So they basically patched this one parameter and, like, didn't even look at other source code that
18:44
was on the same page. Before we can see what I was actually able to, you know, the impact of the vulnerability of the SQL injection, uh, I needed to do some recon. Uh, so 6 databases were accessible, um, I found that, that were, the 2 interesting ones were a
19:01
primary one and a backup one. And the other one seemed to be, you know, MySQL data, default data, databases and there's a temp one that had nothing in it. Uh, the primary database had over 250 tables, uh, and they had very concerning names for sure. Um, so, you
19:20
know, the, basically what it seemed like was that I could access whatever the, uh, the web server itself could access, you know, what it requested. There didn't really seem to be that many restrictions. Uh, specifically the tables exposed includes, uh, school attendance information, you know, uh, whether or not students showed up to class, you know, bus information, how they get home, uh, cafeteria status and payment history,
19:42
enrollment, enrolled courses and course history, uh, whether or not they've ever been disciplined before, their grades, um, their progress to graduating, their photos, uh, some immunization and vaccination information, uh, library balance and history, course schedule, uh, whether or not they linked any social media accounts, but I don't know
20:00
any student that would, you know, do that. I don't know why you would ever think that's a good idea. Um, their birth date, their hashed password, they use SHA-1. Um, yeah, um, crack station really helped with that. Uh, pin numbers, uh, school uploaded documents and contact information. So there's some more fun facts I'd like to share. There's over 5
20:26
million students and teachers in the system. I did this by counting the number of rows in the main, you know, account table. Uh, there's over 34,000 immunization records. Uh, Blackboard wanted me to say that, um, that apparently that in their terms of service
20:41
they don't actually, they tell you not to upload immunization table information, but, um, it churned out that, um, you know, they, they dedicated a specific spot for the database, but they say in the terms of service not to upload anything. So, I, I don't know how exactly that works, but, um, there's over 5,000 schools impacted and, you know,
21:02
in that map I showed you earlier, those were the schools impacted and the database user's password is, um, the lowercase version of the username. So, it wasn't very nice to see that, uh, because it was my data too in there and, uh, seeing, you know, bad practices like that made me concerned, you know, what else was there, what else did they
21:22
do wrong. Uh, to clarify though, this is from information access in March 2018, so, I'm sure there's more students in there now, but, um, or more immunization records, I'm not quite sure what's going on today, but, um, this was the status back, um, in March 2018 when I first, you know, uh, right before I reported it. So, I think it's kind of
21:42
important to clarify, you know, what I accessed and what I didn't access, what my boundaries were. Uh, so, I never accessed any other student data besides my, um, besides any authorized use, for example, you know, my own records, I did check to see that my information was in the account table. Um, any other information I gathered was either
22:01
metadata, like number of rows, that's how I found out there's over 5 million students and teachers in the database, or it was not related to anyone's personal data, like database password hashes. Uh, the primary reason I kept investigating is because, you know, these guys were keeping my records as well, and I didn't really feel comfortable until I knew how bad the situation was, just sending it over and saying,
22:24
hey, here's the vulnerabilities. Um, you know, it just felt like this was pretty crazy stuff that I was starting to see and I needed to see how much they really messed up. So, disclosure time. I had a very, very interesting time trying to
22:41
disclose vulnerabilities to the full corporation. Uh, when I first found the XSS filter bypass vulnerabilities in 9th, 10th grade, uh, I tried to reach out to Follett through my then school's district, director of technology, uh, that pretty much led nowhere, you know, they, they weren't able to get a clear answer, uh, back from Follett. Um, as I, you know, discovered the improper access control vulnerabilities, one of them stuck out to
23:03
me, uh, there was a vulnerability that allowed me to add a group resource to the group resources section. So, Aspen has this group resources section where the school can upload helpful links and information, maybe the student handbook or, you know, back to school information. And, um, so I found out that part of the improper access control
23:23
vulnerabilities was that I can add my own group resource. So, this meant I can add, you know, text and share it with what I thought was all students. So, being an immature 11th grader, uh, what I immediately did was I made a group resource and sent it out to everyone saying, yeah, Follett didn't really care about security. Um, and,
23:46
um, yeah, so I just, you know, I did a little, a little prompt, uh, document dot cookies there, down there, uh, and what would happen is whenever you logged into Aspen, you'd see, uh, this on the bottom of your screen. Yeah. So, I said my name in there because I
24:15
didn't want them to make me look out like the bad guy, you know, oh yeah, the student hacked into our systems and, you know, compromised student data, how bad of a
24:23
person is he? Uh, and so what I did was, you know, I included my actual name and a message and I told them, you know, if they want it taken down, just come straight to me. Uh, but what happened was, I thought it would go to all students, it actually went to everyone in my district. So, yeah, apparently like the director of technology got pulled
24:43
out of their meetings and, uh, wasn't that good. I, I, this is a screenshot for my own phone and I actually got a notification saying, hey, from me. So, the school wasn't really happy about it, I can understand. Um, I only got off with a two day suspension and I
25:07
was able to convince them that I didn't violate the acceptable use policy. Yeah, that's a big, um, I got suspended for creating a major disruption. Um, yeah, so, it, you know, two
25:26
days off of school, I think it's a pretty win-win. Um, uh, so, looking back at it, though, now, you know, a few years later, it's, I understand it probably wasn't the best thing to do. Um, and, but one of the biggest reasons I thought it'd be a good idea was
25:44
because at the time, you know, I was just getting into the industry, I didn't really know, so what do you do if a vendor doesn't have contact information? Or what do you do if a vendor, you know, doesn't even want to talk to you at all? So, you know, I wasn't aware of organizations like the CERT Coordination Center, and so, um, I took the mildly immature route of making a global message. So, after tweeting images
26:07
about what I'd done on Twitter, mentioning, uh, full learning in an attempt to get their attention, I actually got a reply. Uh, they were really helpful through direct messages and I'd set up a meeting with, um, actually someone from the Aspen technical team. Uh,
26:22
but then my school heard about this and they actually told them directly, don't talk to them about the bill. Um, and I kind of feel bad for Follett because, you know, my school was the one paying some of the bills, so they couldn't really be like, no, but we need to fix these vulnerabilities. Um, but it was kind of, you know, shooting themselves in the legs because, you know, I was trying to help here and I was trying to get these
26:42
vulnerabilities patched and they kind of delayed it for another semester. In March 2018, after speaking with my principal, I actually coordinated with the district's director of technology and to set up a meeting with Aspen. Uh, so one thing I do have to
27:01
notice once I, um, uh, reached out to my director of technology, uh, Follett actually had a meeting set up, I think within a week. It was a pretty impressive response time. Uh, when I disclosed the bugs, they had it fixed, you know, I think 3 weeks later, in the mid April of 2018. But, um, overall the disclosure process was
27:20
painless and they handled it pretty prof- professionally, you know, they weren't like threatening me, uh, during our meeting. They're pretty chill and they're, they're thankful for me disclosing these vulnerabilities. So, fast forward to 2019, after I discovered and determined the impact of the XXC and L5 vulnerabilities, uh, the
27:41
disclosure process was a lot different. Um, so, you know, school relation, me and the school, it wasn't that great of a relationship, you know, they were kind of pissed off that I was doing this security research into the software that they were using, uh, they weren't really on board with that. Um, and, uh, so I was able to coordinate with, uh, Carnegie Mellon University's, uh, CERT coordination center and they actually helped
28:04
me get in touch with the director of cyber security and privacy at the Folle corporation. Uh, after a quick call, uh, things were looking good, you know, he seemed happy to help and wanted, uh, to disclose these, wanted me to disclose the vulnerabilities to them. Uh, he's told me he was going to set up a meeting with the Aspen
28:21
development team, it might take a little bit, but, um, uh, and I told them that specifically, I didn't want to work with my school because, like I said, our relationship wasn't that great, understandably. So, for a month, all I got was delays, like, still working on the process, trying to coordinate a time, please stay tuned. Um, and
28:44
before hitting a month of delays, I sent, like, a serious email, like, dude, what's going on? Uh, and I had critical vulnerabilities to report. Um, one thing I didn't really understand was that my school's own district tech, uh, director of technology was able to get a meeting with Folle within a week, but that was through, like, a customer
29:03
success advocate, but now you're telling me the director of cyber security can't get a meeting in a month? That just seemed, like, a bit weird to me, you know, what, what's going on here? And so, what does the director do when I tell him, you know, what's going on? Well, he tells my school everything, and he tells them, hey, Bill's trying to
29:20
report these vulnerabilities with, uh, to us. Uh, and luckily, at this time, it was, like, a few days after I graduated, so I already had my diploma, and they couldn't do anything, I was really happy about that. And so, he contacted them, even though I
29:40
told him not to, uh, and the school basically banned all my accounts, even, like, unrelated email accounts, they were really unhappy about it. Um, and so I was kind of tired of working with Folle there, I just sent a PDF with all the vulnerabilities and said, here it is, here it is, if you want to fix them, fix them, uh, if not, that's your deal. Uh, and so, it actually, you know, after I sent that PDF, they actually started
30:04
paying attention and started working on fixes. Uh, this was fixed back, uh, back in the end of July, uh, 2019 actually, uh, right before, uh, DEF CON. Uh, and so, uh, uh, so going to Blackboard, uh, back in mid-2017, when I found my first SQL injection
30:21
vulnerability, uh, I sent a report to Blackboard's, um, security email. Uh, and their initial reply was good, they were like, yeah, we're, thank you so much for reporting this to us, we're gonna do an investigation, uh, we'll get back to you when we've completed it. After a month of no replies, I sent a follow up saying, hey guys, what's going on, uh, how's the investigation going? No response. Uh, half a month later, after
30:45
that, I sent another email. No response. Um, so, yeah, I wasn't sure if I was just like losing it, maybe I wasn't emailing the right email. This was 10th grader me and I wasn't really used to vendors like leaving me on read, so, um, yeah, I didn't really take it well. Uh, so what I did was, I just said, okay, here's how I can tell if I'm
31:04
crazy or not. What if I attach, attach a mail tracker? And so that's what I did. And it said, learn security, read your email 7 times. Um, and so, heh, what, I got really mad at this, right? Um, cause this is 10th grader me, like I think I was 16 at the time, and
31:24
these guys were ghosting me. It didn't really feel good, it hurt my feelings, okay? And so, now looking back at it, I was like, wow, am I really that bad back then? Uh, and this was definitely one of those moments. Uh, and so, I just wrote an email completely calling
31:43
them out, like, guys, I know you're reading my emails, please respond to me. Um, and, yeah, it was kind of bad too because, you know, this wasn't a paid bug bounty program, and it was kind of just, you know, wasting my time, you know, my research, etc. And of course, they read that one too. So, when they heard about this, um, they
32:06
wanted me to include a, um, fun statement. So, they wanted, their response to this entire thing was, uh, we're always working hard to improve. Um, sorry for ghosting you, Bill. Uh, and this is their wonderful, wonderful little statement they had me say. So,
32:26
I never heard back from that email again, but I didn't give up. After disclosing default vulnerabilities, I decided to try to continue my disclosures, and I wanted to work with my school, uh, back in March 2018. Uh, and I wanted to work with them to try to
32:40
report the blackboard vulnerabilities. Uh, so, the issue was, you know, a few slides ago when I was talking about all the databases, all the tables, you know, how many rows there were, etc. I kind of was worried that, you know, how are they going to take this? Did I break the CFAA? Uh, you know, I didn't really know the law, but, um, I knew that probably wasn't that cool what I did, uh, in the, in the eyes of the
33:04
court. Um, so, I said, hey guys, how about we negotiate a contract, uh, something that would protect me from, you know, hopefully prosecution. Um, and, uh, so, they sent me an initial contract within a week. But then I read the first thing it said, you know, it
33:23
said, as of effective date, student agrees not to discuss the vulnerabilities with any third party, uh, and this was definitely a no-go for me. Um, because, you know, by the way, this didn't go through because I couldn't be here if I signed this. Uh, and so, their own security policy said that after the vulnerabilities were patched, you can talk
33:43
about it. So, this was pretty crazy for me. I was under a lot of pressure from both my, the school and my parents because my parents had to co-assign the agreement. I was only like 16 at the time. And, um, you know, they were like getting worried as well, like, what are you getting me into, Bill? Um, and so, I compromised her to
34:01
the second revision, uh, where it says that I tell Blackboard everything accessed, uh, and the vulnerabilities themselves. Uh, I don't disclose the vulnerabilities until they've been patched. Uh, I send any publication 10 days in advance and comply with edit requests that can be so-called reasonably deemed as exposing Blackboard clients or end
34:20
users to security threats. Uh, and Blackboard agrees not to pursue legal action as long as I, um, I don't disclose personal data about other students or other confidential information. So, Blackboard indeed did read some of the slides you've seen today. Uh, specifically they saw the SQL injection galore slides and they saw the disclosure part. Um,
34:41
and they didn't see the other set of vulnerabilities like the sub domain stuff because that was in the second set of research that I was doing. So, after signing, uh, disclosure was really stressful because, um, the school, they weren't, like, they didn't want to be in the middle of negotiations. I was kind of making, you know, a big deal. I was like, guys, this is not a fair contract. Apparently the school's own lawyer
35:03
said, oh, this is a fair contract. And it was for the school, but it wasn't really one for me. You know, he wasn't really representing my interests. Uh, and, you know, they, like I said, they weren't really happy about it, but, um, after we signed a contract and my parents signed it, uh, it was pretty painless. You know, I, I
35:21
disclosed the vulnerabilities in the meeting. Uh, the school grilled them a bit on why they ghosted me. Uh, and the vulnerabilities ended up being patched in the end of 2018, April at, at 2018. And so, the next set of vulnerabilities, including even more SQL injection and information disclosure bugs that we, the least important credentials, was
35:42
done with the help of the CERT Coordination Center, uh, at Carnegie Mellon University, their software engineering institute. Uh, and they got in touch with Blackboard through their secure, security email, and we were able to work with them to catch vulnerabilities. Uh, something kind of fun was that, um, I actually reported it anonymously, and, uh, Blackboard didn't know that I would, you know, was gonna
36:02
disclose this CERT vulnerabilities about, until a week ago. Um, so, let's see what they think about that. Um, it took a few months, uh, but at the end of the day, the vulnerabilities were patched. The process that does, isn't that difficult, and if you
36:20
guys ever have any problems trying to contact a vendor, I strongly suggest you reach out to them, because I think they might be able to help. So, something kind of strange I noticed was that, um, in October of 2018, I was trying to get a CVE for the vulnerabilities I found. Uh, and so I was trying to get, I tried to contact the
36:40
CSO at the time, and when I emailed her, it, it said that this email didn't exist in their system anymore. So, I googled, I thought, you know, maybe someone got a new, you know, new CSO or something. And then I saw this job offer from Blackboard, uh, and so the interesting part about this was that the CSO apparently left right after my vulnerabilities were disclosed and fixed. Something kind of interesting. Um, but, you
37:10
know, a few friends said, Bill, you should apply for it. Um, I decided not to. Uh, I don't, I don't think I have the qualifications for it yet, maybe in a year or two. Um,
37:22
but, um, it was still interesting to see that they left the company after my vulnerabilities. Um, so, to wrap up, a couple of suggestions for what we should do to prevent future incidents. First of all, no matter the company, schools should enforce
37:41
companies to make sure that the products they use are safe. You know, schools have the most power here because they're the ones actually paying, you know, the st- school software vendors. Uh, and so they can, they have a lot of control about what the schools do and what the s- uh, sorry, what the companies do and what the companies don't. Uh, in schools I think that they should require third party auditing of software, uh, where sensitive information is stored. Um, it just, you know, feels
38:05
like when we take health data so seriously, but then we don't take the data of our own children as seriously. It just seems crazy to me because we're the next generation. Uh, I think we should hold companies accountable when negligent, uh, actions are taken. I hope the public does this with the revelation of my
38:22
findings. Uh, and I think that we should understand where sensitive information is stored and not fall for marketing talk. You know, just because a company says, yeah, we take care of your data doesn't actually mean that they take care of my data. So, the reason I think this is such an important thing to take care of is because the next
38:42
generation should be one of our number one priorities, you know, me included. It just feels like children can't defend themselves, you know, they don't know secure practices, they don't know how to make sure their data is being held in somewhere safe. And so I feel like parents and schools should be the ones making sure that children's data are actually being stored in a safe environment. You know, I just can't
39:03
believe we have so much regulation around health data and we don't have, uh, nearly as much regulation around, you know, school data or student data. Especially because, you know, it's the data of minors, you know, we shouldn't expect them to, um, have their own data, you know, being controlled with their own data. And so, my, my
39:20
question is that if a 16 year old can find a breach affecting millions of students and teachers, what can a nation state find? Do you feel comfortable with foreign nations having the data of your children? I wouldn't. So, some thanks and they're very massively deserved is to the Electronic Frontier Foundation. Uh, they've been incredibly
39:43
helpful throughout my entire research process and they offered me pro bono legal representation throughout the whole thing. Uh, the second thanks goes, the second piece of
40:02
thanks goes to the CERT Coordination Center. Uh, they've helped with finding points of contact for both Follett and Blackboard and assisting with disclosure in every step of the way. So, I think we have a few minutes. If anyone has some dying questions they
40:23
want to ask me, I think we can ask them. Um, so, I don't know if my goon is here, the one running my talk, but um, uh, that, ok, he left, that's, that's sad. Yeah. Do, do you think we could, uh, if anyone has some questions they can come up and ask, I guess?
40:46
Alright, no one has questions, that's always great. Alright, come on. What, uh, what
41:09
were your parents' views on what was going on during this time? Um, they told me not to do it. They were really unhappy with the contract, you know, they didn't feel they wanted
41:24
to be involved in anything like that. So, um, it was mixed feelings, definitely. What are you gonna do next? Start college, maybe break their software. Did you ever get around to
41:51
changing your grade? I can't answer that question. Alright, well, thanks again for
42:05
everyone coming out to my talk.