Difference between revisions of "Security Hole in Online Lunch Account"
From ThePlaz.com
(post) |
Revision as of 22:16, 7 September 2008
This is a record of a vulnerability I found and reported to the school in Sept 2008. It regards MySchoolAccount.com, the online lunch account service, at Haverford High School. It has since been resolved by also requiring Date of Birth
I logged on to the site today for the first time. After creating a parent account, I can “claim” a student by entering a student id. Since student ids are sequential by alphabet, I am able to easily guess a valid student id. If I were to have access to a list of students (the PTA directory for example) I could, with a little guessing, determine a student’s id.
However, I am able to enter this student id into MySchoolAccount (as long as that student’s profile has not been claimed by someone else) and see the following information:
- Student’s name (and of course the id along with that name)
- Their lunch purchase history for the past 30 days
- Their account balance
- I am able to add money to that person’s account (no harm in that!)
- Receive a notification via email when balance falls under a certain amount
- By tracking balances/history I would be able to determine if a student qualified for reduced lunch and by extension (most likely; unconfirmed) free lunches, a violation of confidentiality
In the past, I could use a student id and name to log onto a student’s Windows XP computer account. Luckily, this has been fixed this year by requiring students to change their passwords.