The Future Is Here
We may earn a commission from links on this page

Teen Tells DEF CON How He Hacked Millions of Student Records From Popular Education Software [Update]

We may earn a commission from links on this page.
Image for article titled Teen Tells DEF CON How He Hacked Millions of Student Records From Popular Education Software [Update]
Photo: Matt Cardy (Getty)

“Hello from Bill Demirkapi :)“ read the message sent to thousands of parents, students, and teachers in his school district after the aforementioned teenager hacked his school’s education software. It was one of many bugs Demirkapi discovered over the last three years—another exposed millions of student records—that he presented on at this year’s DEF CON, a hacker convention in Vegas.

The software belonged to two of the biggest names in education tech: Blackboard and Follett. Combined, these tech firms provide online education products for more than half the schools in America.


During Demirkapi’s freshman year, a mixture of boredom and aimless ambition led him to start investigating the companies’ interfaces. In Blackboard’s Community Engagement software alone, he was able to access records for roughly 5 million students, everything from their phone numbers to their class schedules, by exploiting common bugs like “so-called SQL-injection and cross-site-scripting vulnerabilities,” Wired reported. He found similar bugs in Follett’s Student Information System, including student passwords that some genius left unencrypted for any fledgling security researcher like him to see.

“The access I had was pretty much anything the school had. The state of cybersecurity in education software is really bad, and not enough people are paying attention to it, said Demirkapi according to Wired’s report.


He said he initially tried reporting these vulnerabilities to both his school and the two companies but wasn’t taken seriously. Blackboard representatives ghosted him after a few emails, and Follett never responded at all.

That’s when he got the idea for the text notification, he said. Something authorities couldn’t ignore. And while it earned him a two-day suspension, Follett and Blackboard did patch up the reported leaks in their software’s interfaces last month.

While Follett’s senior vice president of technology, George Gatsis, thanked Demirkapi’s for helping them suss out these bugs, he maintained in a statement to Wired that the teenager couldn’t possibly have accessed data other than his own even by exploiting the reported security flaws. Demirkapi understandably disagreed and said he showed the company’s engineers his friend’s hacked password as proof.

Representatives at both Follet and Blackboard did not immediately respond to Gizmodo’s inquiries.


At his DEF Con presentation, a member of the crowd asked Demirkapi, now recently graduated, what he’s got his sights set on now. “Start college, maybe break their software,” the young hacker responded according to Mashable’s report.

Given all the news about recent breaches—including one by a fellow student in Germany who doxxed his country’s politicians—let’s just hope mass texting a smiley face stays the most nefarious result of Demirkapi’s hacking.


Update 9:40 a.m., August 10: A Blackboard spokesperson responded to our request for comment with the following statement:

“Security of our products and our clients’ information is of the utmost importance to us. We greatly appreciate third-party researchers who use responsible disclosures to alert us of any vulnerabilities. We commend Bill Demirkapi for bringing these vulnerabilities to our attention and for striving to be part of a solution to improve our products’ security and protect our client’s personal information. We have addressed all issues that were brought to our attention by Mr. Demirkapi and have no indication that these vulnerabilities were exploited or that any clients’ personal information was accessed by Mr. Demirkapi or any other unauthorized party.”


According to the spokesperson, Blackboard received reports from Demirkapi concerning vulnerabilities in the company’s software on two occasions, once in May 2017 and once eight months later. Both times, its security teams patched the noted bugs in a matter of weeks. As an added measure, the company is reportedly working on partnering with an unspecified security vendor to improve its vulnerability disclosure program.

[h/t Mashable, Wired]