Difference between revisions of "Security Hole in Online Lunch Account"

From ThePlaz.com

Jump to: navigation, search
(post)
 
(add the statement I had floating around)
 
Line 13: Line 13:
  
 
In the past, I could use a student id and name to log onto a student’s Windows XP computer account.  Luckily, this has been fixed this year by requiring students to change their passwords.
 
In the past, I could use a student id and name to log onto a student’s Windows XP computer account.  Luckily, this has been fixed this year by requiring students to change their passwords.
 +
 +
The ethics for the discoverers of security vulnerabilities generally call for the discoverer to remain quite about the vulnerability, until the problem has been resolved and a patched has be released, or a significant amount of time has passed in which the parties producing the system had a reasonable amount of time to resolve the flaw and have not done so.

Latest revision as of 22:57, 7 September 2008

This is a record of a vulnerability I found and reported to the school in Sept 2008. It regards MySchoolAccount.com, the online lunch account service, at Haverford High School. It has since been resolved by also requiring Date of Birth


I logged on to the site today for the first time. After creating a parent account, I can “claim” a student by entering a student id. Since student ids are sequential by alphabet, I am able to easily guess a valid student id. If I were to have access to a list of students (the PTA directory for example) I could, with a little guessing, determine a student’s id.

However, I am able to enter this student id into MySchoolAccount (as long as that student’s profile has not been claimed by someone else) and see the following information:

  • Student’s name (and of course the id along with that name)
  • Their lunch purchase history for the past 30 days
  • Their account balance
  • I am able to add money to that person’s account (no harm in that!)
  • Receive a notification via email when balance falls under a certain amount
  • By tracking balances/history I would be able to determine if a student qualified for reduced lunch and by extension (most likely; unconfirmed) free lunches, a violation of confidentiality

In the past, I could use a student id and name to log onto a student’s Windows XP computer account. Luckily, this has been fixed this year by requiring students to change their passwords.

The ethics for the discoverers of security vulnerabilities generally call for the discoverer to remain quite about the vulnerability, until the problem has been resolved and a patched has be released, or a significant amount of time has passed in which the parties producing the system had a reasonable amount of time to resolve the flaw and have not done so.