Description
The University of Advancing Technology uses an online distributed learning environment called eCollege. This proprietary system helps to keep students in touch with their classmates, instructors, and assignments. Through the system, a student can take tests, communicate on a discussion forum, retrieve and submit assignments, and even chat live with classmates. The problem is that to provide much of this functionality, the developers of eCollege decided to use a technology called JavaScript. This normally wouldn't be a problem within itself, but the real issue was in the lack of testing for the product that UAT employed.
This presentation outlined two specific vulnerabilities within the eCollege system. The result allowed students to retake tests as many times as they wished (in a specific configuration, sometimes with the answers provided to them), and to spoof their name in the discussion forum. The help desk at eCollege was contacted multiple times to attempt to fix the vulnerability, but to no avail. Eventually, the local network security club, DC480 held their first DC480Convention. This presentation was provided to any who wished to understand the vulnerability, in hopes that the issues were patched. Finally, about six months after the presentation, the developers created a patch for these two specific vulnerabilities.
The credit for finding the vulerability belongs to Eric Huggins. I provided additional research, and development/delivery of the presentation.
The presentation that I created and conducted at DC480 1 is provided in the link above.
Lessons Learned
This was my first experience in unveiling a vulnerability in a live system. Through developing the momentum behind the presentation, I learned how to (and not to) approach corporations with suggestions regarding software flaws. I was able to examine a little bit of the legalities surrounding software as an intellectual property.