Teen Tells DEF CON How He Hacked Millions Of Student Records From Popular Education Software

Teen Tells DEF CON How He Hacked Millions Of Student Records From Popular Education Software

“Hello from Bill Demirkapi :)“ read the message sent to thousands of parents, students and teachers in his school district after the aforementioned teenager hacked his school’s education software. It was one of many bugs Demirkapi discovered over the last three years — another exposed millions of student records — that he presented on at this year’s DEF CON, a hacker convention in Vegas.

The software belonged to two of the biggest names in education tech: Blackboard and Follett. Combined, these tech firms provide online education products for more than half the schools in America.

When Demirkapi was in Year 9, a mixture of boredom and aimless ambition led he to start investigating the companies’ interfaces.

In Blackboard’s Community Engagement software alone, he was able to access records for roughly five million students, everything from their phone numbers to their class schedules, by exploiting common bugs such as “so-called SQL-injection and cross-site-scripting vulnerabilities,” Wired reported.

He found similar bugs in Follett’s Student Information System, including student passwords that some genius left unencrypted for any fledgling security researcher like him to see.

“The access I had was pretty much anything the school had. The state of cybersecurity in education software is really bad, and not enough people are paying attention to it,” said Demirkapi according to Wired’s report.

He said he initially tried reporting these vulnerabilities to both his school and the two companies but wasn’t taken seriously. Blackboard representatives ghosted him after a few emails, and Follett never responded at all.

That’s when he got the idea for the text notification, he said. Something authorities couldn’t ignore. And while it earned him a two-day suspension, Follett and Blackboard did patch up the reported leaks in their software’s interfaces last month.

While Follett’s senior vice president of technology, George Gatsis, thanked Demirkapi’s for helping them suss out these bugs, he maintained in a statement to Wired that the teenager couldn’t possibly have accessed data other than his own even by exploiting the reported security flaws.

Demirkapi understandably disagreed and said he showed the company’s engineers his friend’s hacked password as proof.

Representatives at both Follet and Blackboard did not immediately respond to Gizmodo’s inquiries.

At his DEF Con presentation, a member of the crowd asked Demirkapi, now recently graduated, what he has his sights set on now. “Start college, maybe break their software,” the young hacker responded according to Mashable’s report.

Given all the news about recent breaches — including one by a fellow student in Germany who doxxed his country’s politicians — let’s just hope mass texting a smiley face stays the most nefarious result of Demirkapi’s hacking.

[h/t Mashable, Wired]