Monday, June 02, 2008

What to do when a hole is found?

Just the other day, i need my old high school GPA and class that i have taken. The school had an on-line system so students could check there grades. Thinking that i could still login to get the information, i gave it several trys, to realize that they no longer kept old student data.

What sparked my interest, is that on failure to login i got a 404 (page not found). I took a deeper look into the source code for the web page and found that there was no real secure authentication. The java script made a simple hash of the student ID, Turning a 5 digit integer to hex. It then tacks on the users 3 digit pin/password to the end of the hex string. It turns out this hex-string is the name of the HTML file on the server that has the students grades.

The flaws in the system are obvious. The only thing they did right was to add the directory with the student data to the robots.txt file so Google would not cache the information.

Should i let this go? Should i bring this up to the school? Would they even listen to me? Should i spend the day to write a program to anonymously brute-force every student's ID and pin, as proof how flawed the system is. I know there is no real personal info available, but why did they add the insecure authentication system.

It get worse since hundreds of schools nation wide use this exact same method, because it is part of a licenced package of software that many schools use, to keep track of students grade.

I also suspect that the pins are not random, but may derive from the student Id of students name. Since they were given, and no person has the power to change it. Hans the software that powers the grading system, generated the pin.

No comments: