“Serious vulnerabilities in the digital school environment UvA’
The digital environment which is used at the University of Amsterdam (UvA), a customized version of web portal Blackboard, contains major security vulnerabilities.
That set Bram ter Borch and Auke Zwaan, two students at the university of amsterdam for their study were investigating the security of Blackboard at the university.
They presented their findings to say that in may of last year at the ICT department of the UvA, but this would be insufficient to have occurred to the found leaks to be sealed. Ter Borch and Swan decided, therefore to their research still to publish.
According to the duo contains the customized version of Blackboard which students and teachers of the UvA login a few obvious security risks. Thus, users after secure login screen is redirected to an unencrypted web page, that an attacker might take over.
Also would the passwords entered so weak are encrypted and secure, that it can be easily cracked. There was, for example, no limit on the number of login attempts from a single ip address. Also, users ‘ passwords are changed, without requiring the old password is required.
Ter Borch and Swan could via their own account on the Blackboard in addition, a list print-out with the details of 143.000 accounts, including first and last name and associated e-mail address. They were then behind that in many of these accounts have the password same as the username.
That way, they got access to nearly 11,000 accounts, including a test account with far-reaching access to the Blackboard environment, which they have not yet taken exams could capture.
The two students were also successfully malicious code in popular pages to inject, such as the home page of a particular subject. Through this code they were able to the accounts of these visitors take over and actions on behalf of them.
In a comment on the published research shows that UvA spokesperson Annelies van Dijk know that Blackboard in the summer of 2016 an upgrade has been given and that since then regularly have further patches to be made. “With this kind of updates we try this kind of holes to avoid.”
Van Dijk acknowledges that not all the leaks that Ter Borch and Swan aankaartten, his poem. But she disputed their conclusion that the UvA are information security are not taken seriously. “It has continually to our attention.”