Teen Hacker Discovers Bugs In Education Software Exposing Millions Of Student Records

From security officers to guest sign-ins, schools employ several tools to keep their physical campuses safe. However, is student data also secure? A teen hacker recently uncovered vulnerabilities in two education software programs that could have affected over five million students.

Bill Demirkapi is a high school senior in Lexington, Massachusetts and began hacking when he was a freshman. He soon discovered that the education software used by his school, Aspen and Blackboard, contained major security vulnerabilities. Unfortunately, the flaws in the two programs could have affected over 5,000 schools and 5 million students. This would have been more severe than the recent San Diego Unified School District data breach, which exposed over 500,000 students and staff members.

The Aspen vulnerability had the potential to expose student information such as birth cities, bus routes, numbers of suspension, special education status, and details about reduced or free lunches. Hackers could have gained this information by entering their own script into the website. Websites generally contain filters that are able to deny hacker requests, but the Aspen website was missing these filters. Demirkapi was able to access information about himself and a friend who gave him permission to do so.

hacker encryption

Blackboard contained several SQL-injection vulnerabilities. Hackers would have been able to access data such as phone numbers and home addresses, attendance, immunization records, and social media links. Demirkapi was even able to change his acceptance status at a college he applied to. He remarked, “[An attacker would have] access to every single school that was using Blackboard Community Engagement.”

Demirkapi found it incredibly difficult to get in contact with Blackboard and Follett, the creators of Aspen. He took things into his own hands after several unanswered emails to Follett and a dismissive response from his school's director of technology. He used one of the vulnerabilities to send a push notification to everyone in his school district. He was suspended for two days, but eventually was able to get into contact with Follett. Demirkapi had a little more luck contacting Blackboard and did not resort to push notifications. Both companies reported that no one besides Demirkapi had exploited the vulnerabilities.

Demirkapi recently shared his experience at the Defcon hacker conference in Las Vegas this past week. Follett and Blackboard have since fixed their security vulnerabilities, but Demirkapi is still concerned. He stated, “These companies say they're secure, that they do audits, but don't take the necessary steps to protect themselves from threats.”