Our school district started using a student information system called the Digital Locker System this year. It's being developed by ACMA while the administrative tasks for LAHS are handled by our physics teachers, Mr. Randall and Mr. Florendo. Given that the DLS is bleeding-edge software, the company is still working out the kinks.
I was checking out the DLS when I noticed the default password for students was the same as the user identifier. Each user also has a profile page that is publicly accessible. Because the user ID is specified in the URL as a parameter, an attacker could use it to access other people's accounts. I realized it was serious and reported it to Mr. Randall as soon as possible. He said he would escalate the matter, and the problem was fixed by the time I got home. All accounts now have different user IDs.
As hard as it is to believe, someone else also found the same issue. I was showing it to Mr. Randall when I noticed a lot of accounts with changed names. It was obviously the work of a hacker. Too bad they didn't do the right thing and tell someone. I'm glad we found out before they could cause more damage.
Update: I got word from Mr. Randall that school officials have identified the person responsible. He says they banned him from the DLS and took away his computer privileges. Good riddance.
Currently watching: Dolphins (2000)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment