LAS VEGAS -- Beginning in the 10th grade, high-school student Bill Demirkapi found multiple security flaws in the software his school used to record grades, keep attendance, notify parents and even maintain lunch-money accounts. But the trouble he got into for reporting the flaws shows how risky it can be to draw attention to powerful institutions' security holes.
"There is a serious problem in the education industry, and not enough attention is given to this issue," Demirkapi said during a presentation this past weekend (opens in new tab) at the DEF CON 27 hacker conference here. "If a 16-year-old can find a breach affecting millions of students and teachers, what can a nation-state find?"
MORE: Best Laptops for College
Demirkapi focused on two software suites used by his Boston-area high school: Follett's Aspen Student Information System and Blackboard Community Engagement. The school used Aspen to deliver grades and transcripts and Blackboard to deliver news and information about academics to students and parents.
Pulling a Ferris Bueller
Aspen filtered its user-input fields so that no regular user could submit malicious code into its messaging system. But in his junior year, Demirkapi discovered that Aspen filtered out code only once per submission; if he nested code within more code, the filter would strip out only the outermost layer and everything else would get through.
Aspen also didn't totally lock down what ordinary users could do, Demirkapi found. By changing some parameters in the visible Java code running Aspen, Demirkapi could read other students' Aspen passwords, birthdates, English-language status, family military status, free lunch status, disciplinary status, special-education status and GPA. (He said he didn't look at anyone's records but his own.)
"And I could edit my own GPA," Demirkapi said, though he declined to state whether he actually did so.
In his senior year, Demirkapi found that if he triggered an error message while trying to see certain types of files in Aspen, the error message itself would print the entire contents of the file. Files could also be accessed if he input malicious code while requesting downloads of class schedules or report cards.
Blackboard had even bigger problems, Demirkapi said.
When he was a senior, he discovered that the Blackboard software installed on his school district's systems had the debugging feature enabled, the software equivalent of leaving a maintenance door unlocked.
This meant that error messages caused by bad code would print out all the metadata associated with all city school districts -- including administrative usernames and passwords, and login credentials for 27 Apple App Provisioning accounts used to install school software on teachers' and students' iPhones and iPads.
Even more elementary were four SQL-injection vulnerabilities Demirkapi found during 10th grade, when he was just beginning to probe his school's systems.
SQL injections can be triggered by typing gibberish into the database commands visible in many websites' URLs. Such attacks have been a widely known issue for 20 years, and most Web-facing databases prevent them by blocking unapproved commands. Blackboard apparently didn't get them all.
Demirkapi said he could see not only his own school's records, but the entire Blackboard database, exposing the names, birthdates, contact information, courseload, grades, disciplinary history, photographs and weakly encrypted passwords of every student and teacher in the Blackboard system nationwide.
By counting the database tables and numbers of entries, Demirkapi estimated that he could have looked at (but insists he didn't) the records of more than 5 million people and 5,000 schools, including 34,000 immunization records.
Shooting the messenger
"I had a very interesting time trying to disclose these flaws to [Aspen parent company] Follett Corporation" when he was a junior, Demirkapi said. "I started with going through my school's IT director, but that went nowhere."
So instead, he used Aspen's own messaging features to broadcast a warning to other students in his school that Follett "didn't care about security."
"You'd see that message whenever you'd log into your screen," Demirkapi said. "It turns out that message went out to every student, teacher, administrator and parent in the district, not just kids at my school."
"I got only a two-day suspension and managed to convince them that I hadn't violated the school's Acceptable Use [IT] policy," he added. "In retrospect, it wasn't the best thing to do."
Demirkapi then used Twitter to post images of what he'd accomplished, which got Follett to reach out to both him and his school and try to set up a meeting.
"My school heard about that and told Follett not to talk to me," he said, until he pleaded with his principal to allow a meeting.
"They met with me within a week and had the bugs fixed by mid-April 2018," he said. "They were very professional."
A year later, after he'd found the second set of Aspen bugs, Demirkapi reached out to Follett through a third-party disclosure program and said he didn't want to get his school involved. But Follett stalled on working directly with him, Demirkapi said, and then notified his school -- which promptly disabled all of Demirkapi's school accounts.
"Good thing I had already graduated," Demirkapi said. "I just sent in a PDF of the vulnerabilities to Follett, so they fixed them all by end of July 2019."
"After receiving Bill's information, we developed and deployed a patch to address the web vulnerability in July 2018," a spokesperson for Follett told Tom's Guide.
"We sincerely appreciate Bill's efforts to bring this to our attention. Our technology team continually monitors the system for vulnerabilities and updates the platform as needed based on information from security audits and information provided by third-party sources."
'We could improve how we communicate with security researchers'
Blackboard wasn't as responsive as Follett, Demirkapi said. The company initially didn't respond to the emails he'd sent them about the SQL-injection flaws he'd found during his junior year -- even though he could see the emails were being read.
So he had his school reach out to Blackboard, which responded with a contract that amounted to a nondisclosure agreement and meant Demirkapi wouldn't be able to discuss the flaws with anyone, even after they had been fixed.
With the help of his parents, he negotiated the contract to permit disclosure after the flaws were fixed -- and to give Blackboard editing control over anything Demirkapi said about the flaws, including the slides for his DEF CON presentation. The second set of Blackboard flaws he found went through the third-party disclosure program without a hitch.
However, Demirkapi noticed that the chief information-security officer of Blackboard left the position "right after my SQL vulns were patched in April 2018."
"I saw a job listing for the position and thought about it," Demirkapi said. "I was still only 17 then, though, so I think I'll wait a year or two."
"We commend Bill Demirkapi for bringing these vulnerabilities to our attention and for striving to be part of a solution to improve our products' security and protect our clients' personal information," a spokesperson for Blackboard told Tom's Guide.
"We have addressed all issues that were brought to our attention by Mr. Demirkapi and have no indication that these vulnerabilities were exploited or that any clients' personal information was accessed by Mr. Demirkapi or any other unauthorized party."
"Blackboard takes every report of a potential vulnerability seriously and works to investigate and remediate potential weaknesses as quickly as possible," the spokesperson added. "One of the lessons learned from this particular exchange is that we could improve how we communicate with security researchers who bring these issues to our attention."
At the end of his talk, Demirkapi outlined a series of recommendations for schools buying educational software.
"No matter the company, schools should force companies to make sure products they use are safe," he said. "Schools should require third-party auditing of software, hold companies accountable when negligent actions are taken [and] understand how and where sensitive information is stored -- don't fall for marketing talk."