Story: A friend hacked into a school's homework software 🐱‍💻

I was reading Ghost in the Wires by Kevin Mitnick and William L. Simon. And it reminded me of a friend who shared similarities with him. I have a cool story to share.

The year is 2016. He is about 16 or 17. We were sitting in his room in his mom's house, with a large window looking over the narrow, but long garden. I always really liked that place, I felt really comfortable there. Sitting in front of his bulky desktop, he wanted to show me something.

Some background: His girlfriend was attending a school, and the school was using software to train and exam their students, but it was also used for homework assignments. It was written in C#.

Out of curiosity, he put it through a decompiler to examine the source code. Turns out it was very weakly secured, the "database" they were using was actually a FTP server, and the credentials for the FTP server were stored in the program. Then he simply tried to log into the FTP server, via a VPN(I don't think this will protect you very much but it will be another step to unravel), and bingo. It worked.

He showed me: it was a simple directory structure. Each student(or teacher or dean) had it's own directory, and in that directory there were directories for exams and homework and such. The credentials gave also write permissions, so I am pretty sure you could've edited anything, including results, of any user.

If I remember correctly, in each user's directory, there was this weird text file, separted by newlines, which contained much information, such as e-mail address, password and such.

All in plain text. No hashes.

So naturally, he tried an email adress of a teacher and copied the password, and tried to log in to his personal g-mail account. And that also worked. Same password, no 2FA. He snooped around for a bit, finding sensitive personal information, such as immigration papers in his google drive. He didn't look any further, didn't look inside the documents or emails and didn't do anything with it, it was all just for the kick. Hence, I thought of him when I was reading that book Ghost in the Wires.

I was sitting next to him while he did that, and that felt very scary. But I knew, he had no harm to intend.

There was also this HTML file which was supposed to be the login screen, which we edited with a background telling that the server was compromized. Unclear whether that file was actually used.

Then he later informed the software company, with a carbon-copy to the school director via the newly obtained email, about the leakage. And they responded a bit annoyed; they admitted that "not hashing passwords is not tidy", but also wrote him "to put his efforts not into breaking software but to create software". They later changed the password to a hash, but it was a weak one. And later, they removed the hash and started doing plain text again.

Pathetic. If I remember correctly, the software company boasted on their website with "affordable software". No wonder it's so affordable, using a FTP server as a database. What an incompetent developers, this made breaking into the system easy. Never trust the client.

If anything, I am of the opinion that people like him are necessary to make software more secure.

There were many more cool details to this story, but I forgot them.

He abandoned his efforts, though communicated his findings with students. A year or so later, a group of students found another feature in the program: Screenshotting.

The program would regularly make screenshots of the desktop. I don't know the exact interval, but every few seconds or so. Now, this may be defensible when this is on a school computer doing an exam, but this program runs on home computers. The program stars up silently on boot, and even when minimized, makes screenshots without the user ever knowing.

They are sent to a server, and there is a webpage admins can access and they will see a dashboard full of screenshots of every user.

I am pretty sure that's illegal. Anyways, the group was "collecting evidence" to later go to the police or the personal data authority(AP). I encouraged him to tell the students to do that, but they never did, I don't know why.

May you be concerned that this post somehow would cause legal action, that won't happen, as he unfortunately died in 2020. I like to imagine that he would some day have been some kind of white-hat hacker. But sadly that's not the case.

I miss him, but I am glad to have witnessed him and I am glad he found joy in doing using computers in cool ways.

Rip in piece.

(Writers note: I sent this writing to the former girlfriend of him to check for factual errors, but none were found.)

back to aftershave written on 2021-09-26