Friday, August 30, 2002

found a vulnerability in my school's student information system

So our school district started using a new student information system this year called the Digital Locker System. The software is being developed by a company called ACMA while the administrative tasks for LAHS are managed by our two physics teachers, Mr. Randall and Mr. Florendo. The company is still working out the kinks as the DLS is bleeding-edge software.

I was familiarizing myself with the DLS today when I noticed a serious issue: every student's default password could be found in the URL of their profile. This was quickly fixed after I reported it to Mr. Randall. He was definitely glad that I told him about the problem.

Of note is that someone else had discovered the same vulnerability before I did. However, that person abused it instead of doing the right thing and reporting it to the school. He apparently used the exploit to compromise several dozen accounts. I'm glad we found out what was going on before he could cause more damage.

Update: The culprit has been identified. From what Mr. Randall told me , the student wasn't only banned from the system, but also had his computer privileges revoked. Good riddance.

Currently watching: Dolphins (2000)

No comments:

Post a Comment