WTF University Meets Blackboard
I just read the newest post at Daily WTF and it reminded me of the fun times we had with the Blackboard system. Yes, I am talking about the same company which patented LMS .
You see, Blackboard is so flawed that some professors who teach security classes use it as an example of easily hackable system. Case in point, our very first assignment was to bypass Blackboard visibility features and access the “instructor only” document posted on the assignment page. I think it took me under a minute to get to it once the problem was explained. Most of the people who brought laptops to class that day were able to get it before the end of the lecture.
You see, just like the WTF system described in the linked article, Blackboard does not have any access restrictions on uploaded files. It sticks them into obscure directories with complex names, but once you figure out the pattern you can access them without any trouble. In fact you can easily harvest the entire contents of the digital dropbox using a relatively simple perl script.
You can also easily to wipe out the entire digital dropbox clean by deleting all the submitted files. All you need to do is to play around with the URL a little bit. If you create a perl script not much unlike the one above you can just let it running and go for a coffee while the homeworks of thousands of students get trashed. I’m not going to post that exploit here, because I don’t want to feel responsible when someone pulls it off. As far as I know this exploit was never published. Blackboard didn’t seem to care when we tried to report all these issues to them. Kinda like the guy in the article.
The saddest part is that the system described in Daily WTF is some ugly, hack-job conceived and maintained by an incompetent sysadmin. Blackboard on the other hand is an enterprise grade, mature software suite deployed at hundreds of universities throughout the county…
Related Posts:
August 22nd, 2006 at 4:35 am (811) [Quote]
And to think… these are the people trying to TEACH todays youth.
Posted usingAugust 22nd, 2006 at 12:42 pm (819) [Quote]
Heheh. So you me and a select 20 other people know of this flaw. I even tried myself informing a blackboard person who had come to campus for a career fair. didn’t like it when i told him that his company made incompanent flawed software that they refuse to allow people to inform them of the bugs.
but hey, they have a monoply now. meaning that like windows, when a flaw is discovered and published, it could have wide spread problems.
i also want to point out that even though you haven’t said how the flaw can be exploited, the fact you made reference to the point it exists, means that someone out there will sit down and attempt to find it.
Posted usingAugust 22nd, 2006 at 12:54 pm (820) [Quote]
Well, don’t want to feel responsible if someone does this thing and fucks up their school, and gets in massive trouble because of it. But if they sit down, figure out the xploit and run it - oh well. Bad publicity for Blackboard would not be a bad thing. Maybe they would finally patch it then.
I think Robila tried to get in touch with them too, and they keept sending him to different departements untill he gave up…
Posted usingAugust 22nd, 2006 at 12:58 pm (821) [Quote]
i know he tried on several occasions to contact them. then he just became apathetic and gave up.
here’s a thought, would they sue an open source project if it violated the patent. if not, i say loophole.
hmm. how would we go about publishing flaw. that’d get our names out there.
(side note, my new place has blackboard)
Posted usingJanuary 1st, 2007 at 11:31 pm (2303) [Quote]
The ENTIRE Education Department of South Australia (obviously, tahts in Australia) is using the Blackboard Learning System. I think it is crude and inefficient. Now I have another reason to despise it: It’s insecure.
But then again, the only things it’s used for in this school are checking one’s quota, checking one’s email, sending one’s email, setting up message forwarding to someone who has set up message forwarding to you so you create an endless loop and, well, that’s pretty much it. I miss teh old myInternet system, but I don’t miss Dingo Mail (which was pure rubbish)
Posted usingSeptember 12th, 2007 at 3:00 am (6172) [Quote]
[…] And this is just one of the few of my gripes about blackboard. There are many more. Don’t get me started on the easy to apply, exploits that are never patched or the stupidity of their unstructured Digital Dropbox concept. What’s wrong with having every single homework assignment going into a single chronological, unstructured list - right? […]
Posted using