At the ongoing Defcon 2019, the 18-year-old Bill Demirkapi presented his findings after three years of research about a software deployed in his school. He discovered that a security flaw in the software could allow a hacker to gain access to records of 5 million students.
He found vulnerabilities in two software developed by Blackboard and Follett that were deployed in his school. The bug in the software developed by Blackboard made records like immunization history, cafeteria balance, student grades, photos and cryptographically hashed passwords vulnerable to attack.
The 18-year-old hacker started exploring the software when he was in 10th grade. He did so out of boredom and curiosity about cybersecurity. Demirkapi says, “I have a passion to, I guess, break things. I really wanted to learn about web application testing, so I thought, well, how cool would it be to test on my own school’s grading system?”
Besides finding flaws in his school software, in a separate incident, Demirkapi also used his technical knowledge to exploit a college admission software developed by Follet. He changed his admission status to “Accepted.”
Demirkapi says that after he discovered bugs in the school software and tried contacting the firms behind it, they didn’t take him seriously and ignored his claims. To bring the attention, he adopted a typical “hacker” approach and created a group resource in his school’s account in the Follet’s software. It sent a push notification to everyone using the software in his school in which Demirkapi wrote: “Hello from Bill Demirkapi 🙂”
He was suspended from school for two days after the incident.
Interestingly, Demirkapi even thought about applying for a job opening for a new chief information security officer in Blackboard but later dropped the idea and applied for a college.