I've reported over a dozen security concerns and vulnerabilities to my high school, and I'm unsure where to take the situation.

It would be best to start this story from the beginning and have a timeline of what exactly has transpired from the day I reported my first vulnerability to now.

I started high school a few months ago for the first time. For context, the district my school is in has over 9,200 students and ~2,000 are from the school I'm at now. In early September I reported a vulnerability in Google Drive. It wasn't specific to this school, but essentially anyone could type in source:domain into the search box and everything shared with the entire district could be viewable. I wouldn't say this is the most severe thing now, and if you look at it now it's just Google Sites people made about genocides and photos of teachers, but I reported it to the librarian anyway since I managed to find a few things (I've forgotten them since) that shouldn't be shared with everyone in the district. The librarian forwarded my email to the guy who does IT for the school who said that they would be notifying staff about the status of the things they share, as well as forwarding the email to the guy who manages the G Suite permissions (who I would later come in contact with). I learned from my friend (whose mom works as a teacher for one of the schools) that an email was actually sent out.

I wouldn't call myself a Marcus Hutchins for that, nor for anything I'm going to detail in this post, but regardless I thought that would be the last thing I would find out. That's a pretty reoccurring theme and something that ends up to me being a bit of a problem.

A week later from my initial email to the librarian, I decided to go directly to the person who does IT for the school to report a vulnerability with ViewState in ASP.NET (which some of the district's custom-coded websites use). I never got a response back, although I did meet with him a month later and got acknowledgement it was read.


Two months pass since my second email and I decided to send an email to him again, this time with a massive amount of security concerns and vulnerabilities, and sent two more replies within the week with even more of those things. A month had passed and nothing had been fixed, which I had no problem with since I was aware that not everything gets fixed because IT especially in a school environment often has limited resources. The only fixed vulnerability was a part of a larger one, which was that certain Google Groups could be viewed by anyone. One of those was a "catch-all" email for error logs, bug reports, and the sort, which was limited from public access if only because the person who did IT at the school was a manager of the group.

After a month of nothing being done, I decide to directly to the IT director of the whole district (he's also the one that manages G Suite permissions). Before approaching him, however, I went to my friend whose mom is a teacher for one of the schools and received a message over Discord from him that I could approach the IT director, and if nothing was done then it would be taken up to administration. Despite the option of being anonymous, I decided against it given that they had already known my name.

What happened from there was taken between his mom and the IT director, which was a text message conversation. My friend had kept me posted on the events that transpired, which amounted to the IT director knowing my name, then getting the email, and saying/suggesting that he was mildly annoyed that I knew more about the systems I had wrote about than he did. I received a "Thank you" reply back, but my friend had informed me that that's about the extent of what he's going to say.

Directly a week after my initial email to him, I sent another one two days before Christmas break (the email was three days ago) which detailed an even higher severity vulnerability. I hadn't gotten a response back from either my friend nor the IT director, but to date apart from that one Google Group none of these vulnerabilities have been fixed. I'll list all of them here for context (obviously not in detail):

Initial email

  • A misconfiguration in around ten Google Groups allowed anyone to view them.
  • A misconfiguration in one of the groups allowed anyone to send as the email that the Google Group is attached to, which is just one word.
  • A misconfiguration in some of the groups might allow someone to add everyone in those groups to a Google Doc or potentially a Google Calendar entry.
  • A feature was left open allowing anyone to view everyone in the entire district's emails (including students). It's limited to around 10 or so entries at a time so no one can just copy them all at once, but that doesn't stop anyone from using WebDriver. The reason why this was a highlighted thing in my email is because the district previously had a problem where someone had emailed all of the Google Groups where students for each school were added to and I don't need to explain why Reply All is the worst thing in history.
  • A COVID-19 reporting form didn't have proper file upload restrictions.
  • All of the district's custom-made sites leak the ASP.NET version in the HTTP header, as well as the IIS version.
  • Similarly, they all lack HSTS (which is essential when you consider someone can just bring a Wi-Fi Pineapple to school), CSP, and X-Content-Type-Options.
  • One of the sites that everyone in the district uses daily doesn't redirect to HTTPS.
  • Some essential cookies aren't secure, like authorization cookies. If the site were to link to an HTTP resource, this would be pretty bad.
  • There were some SSL/TLS security concerns I won't go into since they're really technical and I'm worried they sound like technobabble.

Second email

  • The district uses a domain for all kinds of reports and data collection, which only some users have access to. There's a URL that allows you to view as any user. I don't need to explain this one.
  • There's no DMARC record for emails in the district which means that a certain email that's sent out every week can just be forged and the link in it replaced with whatever the person wants. The first email will still be sent but having a DMARC record is still really important and people will click on the second (fake) email.
  • Some of the sites leak the internal IP address of who's hosting it and WebResource.axd.
  • The jQuery version used on the sites is really old and from 2013.

I'm not sure where to take this situation from here. I read a post from /u/Racingteamsam last night that led me to make this post and I'm torn now. On one hand I read comments like this:

The problem is that they are aware you have access to those resources because of your emails. If you decide to "wreak havoc" or "leak the data" as the others suggested, they'll start to suspect you. From their perspective, there's a mysterious black box that shouldn't be touched by anyone besides the IT guy. After so many peaceful years, a student says that he knows how to access it. Soon after that, there's a data leak. Even the dumbest person would connect the dots and know who's going to be the first suspect...

It wasn't immediately across my mind, but now I've realized I might be framed if someone finds one of the vulnerabilities and exploits them. Suddenly, I'm a prime suspect. The truth is I don't intend on exploiting them and I genuinely just want them fixed at this point, because if they don't do it now then someone is going to light a fire under their asses and it won't look good for IT or me.

My (un)professional response to your question? Exploit the weaknesses and demonstrate how you did it. These people are reactionary and only learn through pain. If you don’t do it, someone nasty will!

I don't intend on doing this either.

As someone who did something similar to you, both at school and when I was on work experience when I was 16.. People don't like to look stupid. They wont be patting you on the back, no on the contrary, you will be seen as someone dangerous and someone who needs to be dealt with. This isnt your fight, let them worry about it. Do however keep your curious mind, and keep doing what you're doing but I assure you they will make you suffer if you point this out and put a bad taste in your mouth. Keep learning, but yeah... people dont like to look incompetent, especially from "kids" - again I am speaking from personal experience. When I pointed things out they got in "experts" at great cost to them to make sure I had not hacked anything else, a full investigation. Luckily for me I am in the UK, and this was back in the day. Suffice to say it cost them money and I was blacklisted - luckily I was leaving in a few months, but not after being told I'll be in prison within 6 months of leaving for hacking (which is bullshit as it was hardly hacking, and I was doing them a favour)

I'd thread very, very carefully. Your actions, even with good intent, were illegal. You cannot access machines you don't own or have permission to use. Even if you were to make a disclosure anonymously, it could be tied back to you given your existing access and the logs that would have generated, in addition to the emails you sent.

Be very careful how you proceed here. Being the messenger in these situations never ends well.

I’ve been in similar situations, and all I can tell you is that they can get really dicey really fast. First of all absolutely do not access that server or mention that you did if possible (although it may be to late for that.) Make sure you have extensive documentation of any problems and always stop one step before you get to the actual vulnerability. You want to know that it’s theoretically possible, but don’t want to make it possible to prosecute you for hacking. It’s often easier for a bureaucracy to make the problem “go away” by alleging misconduct on your part rather than doing the right thing and fixing the issue.

Honestly just forget you know about it. They're not going to work with you, when I found security bugs at my high school it turned into a 7 month long court case that ended in me being convicted of a felony.

Also, you seem to be setting yourself up for expulsion and a talk with the FBI when you embarrass your school administration by openly exposing their incompetence and giving them a reason to have you put away as a "hacker". Schools love to shoot the messenger. It has happened many times.

You are playing a high stakes game whether you know it or not, you’ve already surely broken a handful of acceptable use policy items and accessed sensitive personal info you were not authorized to access. Better be careful. Of course what they SHOULD do is thank you and give you an award, but there are numerous examples of people getting a legal asspounding after such situations or even less, you’re gambling on who’s in charge here and how they’re going to react.

Obviously, I didn't access a server with a default password and username, but the point still stands. I'm on very thin ice at this point.

On the other hand, I was told from my friend's mom that I wasn't liable in this situation and in my words the ice is thicker than I think it is. But who knows? Accessing users on that one domain doesn't sound like it's small enough for me to have no liability.

At the end of the day my ideal situation is for IT to fix the problems. It would be a dream to be able to work with them, but that's really unrealistic and dangerous. What it's heading to is either after break me having to go up to admin and then things start to go off the rails from there and I get in serious trouble, or someone gets fired. I don't want either situation, and especially the former.

I know one of the responses I'm going to get, or a lot of them, is just to "ignore everything that's happened and let IT take over". I'm taking an active approach to this situation for two reasons. One, I'm pretty sure I'm going to find another vulnerability and I'm not waiting to report it only for some attacker in the district or not to exploit it. Two, since both of my emails nothing has happened.

What do I do in this situation? I have a teacher on my side, but I fear that may not be enough and I'm still very liable. I started from a few button presses to one of the worst vulnerabilities this district has probably ever seen in a while where alone people's COVID-19 positive/negative/vaccination statuses are visible and most likely way worse stuff. I don't think I'm not liable for that at that point and I'm reaching into territory that is, to say the least, illegal.

submitted by /u/wizardarrays
[link] [comments]

from hacking: security in practice https://ift.tt/33ygLg6

Comments