Security Hole in Online Lunch Account


Jump to: navigation, search

This is a record of a vulnerability I found and reported to the school in Sept 2008. It regards, the online lunch account service, at Haverford High School. It has since been resolved by also requiring Date of Birth

I logged on to the site today for the first time. After creating a parent account, I can “claim” a student by entering a student id. Since student ids are sequential by alphabet, I am able to easily guess a valid student id. If I were to have access to a list of students (the PTA directory for example) I could, with a little guessing, determine a student’s id.

However, I am able to enter this student id into MySchoolAccount (as long as that student’s profile has not been claimed by someone else) and see the following information:

  • Student’s name (and of course the id along with that name)
  • Their lunch purchase history for the past 30 days
  • Their account balance
  • I am able to add money to that person’s account (no harm in that!)
  • Receive a notification via email when balance falls under a certain amount
  • By tracking balances/history I would be able to determine if a student qualified for reduced lunch and by extension (most likely; unconfirmed) free lunches, a violation of confidentiality

In the past, I could use a student id and name to log onto a student’s Windows XP computer account. Luckily, this has been fixed this year by requiring students to change their passwords.

The ethics for the discoverers of security vulnerabilities generally call for the discoverer to remain quite about the vulnerability, until the problem has been resolved and a patched has be released, or a significant amount of time has passed in which the parties producing the system had a reasonable amount of time to resolve the flaw and have not done so.