In highschool I realized that my school's grading system was using a javascript scheme to control access to grades online:
1. Concatenate the username and password, hash the combination
2. Name the HTML file with the grades using that hash
3. When the user logs in, calculate the hash in Javascript and redirect to that HTML page.
In theory, you can only work out the URL of the page if you have the username and password in hand. I'm sure it was pretty trivially bruteforcable, but aside from that it seemed sort of okay.
Until I realized that directory listings were turned on, and the directory that had all the HTML files sometimes had no index.html, thereby rendering the entire obfuscation scheme moot.
(n.b. I was too ethical to use this to peek at anyone's grades! I did try to report it but it was never clear to whom to report it to, and since every teacher generated these files using their own copy of the program, there was no obvious central place to report this to. A couple of years later online grades were centralized into a different system)
My first year of computer science, I was bored in the labs one day working on a basic Pascal programming assignment. Back then, our university had a VAX mainframe system that everyone worked on (staff and students alike).
I logged off my account, and then just for the fun of it, decided to log back in using my course unit (INF180) as the username and password.
Lo and behold, It let me in. As the course administrator. I could see student records and past assignment gradings for everyone else on my course.
Looking at the folders, it seemed that future assignments etc. were also stored within that account. I didn't go any further. I simply logged out and stayed quiet (and uneasy) about the whole thing. I was too scared to report it in case I was thrown off the course for 'hacking' the system.
A few years later (after I had well completed my studies), I was helping a friend in the same labs with an assignment. I wondered if they still had the same flaw, so I found a spare workstation and tried the same trick, but it wouldn't let me in. Glad they fixed that loophole.
Small town, small class, small faculty - makes it all hard to stay anonymous. Plus there wasn't any formal reporting method that I knew of at the time.
In hindsight, I probably wasn't the only one who might have cottoned on to this. It was purely due to lazy systems administrators. All students were given their student number as their login, and the default password was.... our student number. It was strongly suggested that we change our password after first login, but it was never forced upon us, so not many did change it.
On that lazy day, I simply wondered if the same password 'policy' was in place for our lecturers too, so I guessed that their login might be the unit code, and the password would be the same. In a class full of bright CS wannabes, I am sure a few of the others had the same thought.
No doubt they became aware of this at some stage and that is why it was (thankfully) changed.
decided to log back in using my course unit (INF180) as the username and password...I didn't go any further. I simply logged out and stayed quiet (and uneasy) about the whole thing. I was too scared to report it in case I was thrown off the course for 'hacking' the system.
Since when have this country's schools been run by idiots? Not you, but the people who would have let such an idiotic situation come about and on top of it, have created a climate where one would fear repercussions for reporting on it? Since when has this country become run by uncomprehending idiot authoritarians? When did this come about!? AFAIK, High schools and colleges weren't like this in the 80's.
For what it is worth, this was in a small town in Australia back in the early 80's... Simply a case of lazy admins (see my comment reply above). Probably even only down to one guy's slack work ethic.
I think the entire university's IT department at the time consisted of 4 guys running around trying to keep the mainframe running. There probably weren't any solid policies on password security.
Back in high school (private boarding school) it was one of the math teachers who was running the mainframe. (And teaching the programming class.) Security consisted of students trying to break into each other's accounts and leaving Easter Eggs in each other's BASIC games.
Speaking as someone who checked the security of quite a few colleges in the 90s, I can say that for the most part, almost no one then had any idea that security was even a thing. So if they really were somehow better in the 80s it didn't last long.
Back in college I did a few things that today, might have netted me a visit by the Net Cops [1], but since I knew the sysadmins of the systems in question, I never got into trouble. A friend of mine though, who wasn't friends with the sysamins, did get in mild trouble.
[1] Much like the Phone Cops [2], the Net Cops could have cut my career short.
It all comes down to the campus culture. Our CS Dean at the time was an 'old school' cranky pants kind of guy, so I don't think he would have taken kindly to such a breach.
On the other hand, the new Dean of the computing faculty that took over the year after was a really cool guy, and he is someone I wouldn't have had any hesitation to go to and report such incidents.
From the way we've seen most schools respond to these types of reports from students you have to wonder if you were lucky that you couldn't figure out how to report it!
The time I accidentally took down the entire school website, I luckily did it at school and immediately told my understanding math teacher, who told IT directly, who came and asked me what I'd done, and fixed it within a couple minutes.
Definitely. My high school's school district made a similar mistake with enabling directory listings, enumerating hundreds of documents with words like "Confidential" and "Audit Report" in the file names. Tried to report it at the time but I got the runaround from the school office; years later I'm glad I didn't manage to get any further with it.
When I found a way to bypass the login process back in university and thereby gain access to the previous users' network storage in university, I reported it anonymously for that very reason.
Circa 2005, we got hired by the district for finding problems.
Of course, we either found them during tech class (pre-req for A+ class) or after we'd asked the school tech for permission to explore (and been told it was okay as long as we documented what we learned/didn't do obviously malicious things).
I think the worst I saw was a kid get suspended for a week then kicked off the network for the rest of the year. He got caught with a ton of warez, pirated stuff, etc on his share when we got investigated by the district for accidentally taking down the network because someone left Guild Wars auto-patching on.
Did something similar once, then a friend of mine found out the password within 5 minutes using a simple google rainbow table search. So make sure to at least salt it :)
And always perform hash verification or decrypting client-side so you can prevent brute-force attacks (purposely slowing down the hash verification or decrypting to 100ms is okayish already).
You just can't change your password. If you want to change it, you go tell your teacher your new password, and then when they update grades, that's the password that will work.
Of course, each set of grades is managed by each teacher individually, so you would have to individually update your password on each "system"...
Not that I recommend this, but if you want a (US) school to fix a grading security issue, you threaten to sue because exposing grades is a FERPA violation and schools could lose funding.
I was able to enter my high school's student information and grading system without any kind of authentication. I didn't really know much about computers at the time, so I was just looking through the applications installed on one of the nicer media lab computers and found the access portal. I didn't change anything though, but only because the lab teacher seemed suspicious already.
I hope at least they discouraged crawling of the pages using robots.txt otherwise a directory listing would index all the sub-pages. If you're really unlucky they might even end up in web.archive.org.
1. Concatenate the username and password, hash the combination
2. Name the HTML file with the grades using that hash
3. When the user logs in, calculate the hash in Javascript and redirect to that HTML page.
In theory, you can only work out the URL of the page if you have the username and password in hand. I'm sure it was pretty trivially bruteforcable, but aside from that it seemed sort of okay.
Until I realized that directory listings were turned on, and the directory that had all the HTML files sometimes had no index.html, thereby rendering the entire obfuscation scheme moot.
(n.b. I was too ethical to use this to peek at anyone's grades! I did try to report it but it was never clear to whom to report it to, and since every teacher generated these files using their own copy of the program, there was no obvious central place to report this to. A couple of years later online grades were centralized into a different system)