During Demirkapi’s freshman year, a mixture of boredom and aimless ambition led he to start investigating the companies’ interfaces. In Blackboard’s Community Engagement software alone, he was able to access records for roughly 5 million students, everything from their phone numbers to their class schedules, by exploiting common bugs like “so-called SQL-injection and cross-site-scripting vulnerabilities,” Wired reported. He found similar bugs in Follett’s Student Information System, including student passwords that some genius left unencrypted for any fledgling security researcher like him to see.
“The access I had was pretty much anything the school had. The state of cybersecurity in education software is really bad, and not enough people are paying attention to it, said Demirkapi according to Wired’s report.
Teen Tells DEF CON How He Hacked Millions of Student Records From Popular Education Software