Friday, August 30, 2002

found a vulnerability in my school's student information system

So the Los Altos School District started using a new student information system this year called the Digital Locker System, or DLS. The software is being developed by a company called ACMA, and the administrative tasks for LAHS are managed by our two physics teachers, Mr. Randall and Mr. Florendo. The DLS is still in an early stage, so we're essentially testing it for the company.

While familiarizing myself with the DLS this morning, I noticed a rather serious issue: every student's default password was the same as their user ID, which was part of their profile URL. I immediately reported this to Mr. Randall, and the problem was promptly fixed. He was definitely glad that I told him about the issue.

I should mention someone else had independently discovered the vulnerability a bit earlier than me. However, that person chose to abuse it instead of doing the right thing and reporting it. He apparently used the exploit to compromise several dozen accounts. I'm really glad we found out what was going on before he could cause more damage.

Update: The culprit has been caught. According to Mr. Randall, the student was not only banned from the DLS, but also had his computer privileges revoked. Serves him right.

Currently watching: Dolphins (2000)

No comments:

Post a Comment