News

How safe is my student data?

By Jared Prolo
March 4th, 2015

Ed tech companies are not immune to hackers and vulnerabilities. But schools can protect themselves

data-safetyA few years ago I was attending a meeting at my county office, where a vendor who runs a popular education site was making a presentation. If I’m being honest, I’ll admit I wasn’t paying close attention. It was a product our district was already using, and I was our top level administrator for my district’s domain on the site. Stifling a yawn or two, I started to do what any bored student would do—see if I could break stuff.

Eventually, I happened upon an exploit by chance. I was working both in my district’s instance (the domain and accounts registered for our schools) as well as the one the county office set up for this presentation. Sometimes when I signed out of one, it signed me out of the other as well.

I signed into my district as the top-level admin, and then redirected to the county site by simply changing the URL. In doing so I gained top level privileges to the county’s instance, too, which should have been reserved exclusively for the vendor reps making the presentation. I raised my hand and asked, “Do you know someone can gain higher privileges than they should have?”

In response I was told, “That’s not possible.”

So, I deleted parts of the presentation content I shouldn’t have had access to. Now I had their attention.

Next page: How secure is student data, really?