Posts about what matters to us

Musings on the intersection of security and development.

Students can hack into e-learning environment Blackboard easily by Michiel on July 19

Recently we’ve studied the security of the most popular e-learning web application: Blackboard. Blackboard is used worldwide to provide course information, content management, student communication and collaboration, online exams, assessment management etc.

During the research a very large amount of vulnerabilities was found. For example, a student who can deal with Google can easily increase his or her level from ‘student’ to ‘instructor’. In addition, with some creativity username and password combinations can be stolen unnoticed.

Because universities and colleges often use the same username and password for several services, a student can access multiple systems when exploiting a vulnerability in Blackboard. Think of student administration, study progress management tools, e-mail etc.

To show the risk of using Blackboard, we’ll publish a paper about the research very soon. The paper describes the several vulnerability types that were found and the risks the users and administrators of Blackboard are exposed to. The paper does not contain technical details about the vulnerabilities, like “how to exploit?” A full disclosure date will be announced soon. The paper will be released together with an interview at security.nl and Webwereld.

Update October 29th, 2010
The paper has been released today. Find out more.

#TITLE

Written by Michiel Prins

Has a strong focus on web applications and the security side effects of using modern web browser features. Loves challenges and the internal Online24 ‘hackathons’.

Comments

comments powered by Disqus