3

I was reverse engineering our school's commercial grading system backend with chrome dev tools observing the GET requests. My intent was to code a nice app, just for me to learn more about this etc.

I have come to discover that you can see any student's information by just POSTing to the server with their student id information, which is included in every student's email. And our school's email address book is easily visible. The really bad thing about this is that the request returns the student's social security number as well. How would I go about disclosing this to the vendor and the school?

schroeder
  • 125,553
  • 55
  • 289
  • 326
user3051640
  • 31
  • 2
  • 2
    Probably best to contact them directly before posting the details on a public forum. – ISMSDEV Oct 24 '17 at 11:47
  • Out of the "security" vulnerabilities I have seen in school software, this is definitely not a small one. I say that to say: figuring out how to report it is a good idea. That being said (and it sounds like you already know this) *protect yourself*. These things have frequently gone badly, even for people who meant the best. If you haven't already, **immediately** stop using dev tools to poke around on the website. Don't do anything else that can even be remotely construed as hacking. Then start figuring out how to report it. – Conor Mancone Oct 24 '17 at 12:05
  • 1
    I'd suggest going immediately to your headmaster. He should keep your own interests in mind and appreciate the honesty of talking to him first. As others said do not request another students information. Use your own profile to demonstrate this to the school / company. – Hector Oct 24 '17 at 12:08
  • "Disclose" to whom? The school, the 3rd party developers, the student body? – schroeder Oct 24 '17 at 12:18
  • @schroeder Disclose to the school, and the developers. I am very concerned as now I know my SSN is easily accessible by anyone else. Someone has suggested if the developers (who are very inactive) don't respond to message the schoolboard. Someone else told me it would be a good idea to report it to a news outlet to gain attention. If I go the news outlet way I'd disclose that it is possible to do this, without providing how and that I have told the schoolboard and nothing has been done. Just trying to avoid trouble though. – user3051640 Oct 24 '17 at 12:20
  • 1
    If you do not do this anonymously, I would go to the school, not the software provider. The school and you have a shared interest to get this solved, the software company and you have opposite interests. –  Oct 24 '17 at 12:25
  • 2
    Talk to your *parents* first. You are going to need some support because you have accessed data that you do not have the authorization to access. Then get a teacher on your side (preferably one who would understand the technical details) and explain that you want to bring this to the attention of the school administration. Then, with your parents and the teacher, approach the administration. It is their job to take it from there. – schroeder Oct 24 '17 at 12:31
  • https://www.theregister.co.uk/2017/07/25/hungarian_teenager_arrest_sparks_protests/ - To reiterate what Conor has stated, do this in a way that's either discrete, or in compliance with all relevant legislation. Here in the UK, what you've done could be interpreted as a breach of the Computer Misuse Act (I think?). Some people are extremely receptive and appreciative of ethical cases like this, some people - not at all appreciative. –  Oct 24 '17 at 14:41

0 Answers0