Former Lexington High School Student Discovered Vulnerabilities In School Software

(Required) — Stack of books with laptop on wooden table

Arun Rath hosts the local broadcast of GBH’s All Things Considered.

September 06, 2019

Updated July 03, 2023

Computer hacking has a bad name, but it's not always used for nefarious purposes. Lexington native Bill Demirkapi, now a student at the Rochester Institute of Technology, helped expose security vulnerabilities in the Follett Corporation's "Aspen" software, which is used by Lexington High School to show students their transcripts and schedules. He recently presented his findings at the hacker convention known as Def Con in Las Vegas. Demirkapi spoke with WGBH News' Arun Rath. The transcript below has been edited for clarity.

Arun Rath: I have two kids in Lexington schools, so I'm on this website all the time. For those who aren't familiar with it, it's got everything on it — school transcripts, permission forms, things like that. Can you start off by telling us how you found the vulnerabilities?

Bill Demirkapi: Starting in ninth grade, when I first got to Lexington High School, I was just introduced with the Follett web application system, and I wanted to get into security testing. And I thought for my first target, how cool would it be to try to find something in my grading system?

Rath: Now the old image we have, and you're maybe too young to know "Ferris Bueller's Day Off," but we imagine somebody going online and changing their grades, changing their transcripts. Tell us what you had access to do and what you could do when you were inside.

Demirkapi: I've of course watched "Ferris Bueller's Day Off," it's a classic. That's of course a little bit more Hollywood. When you first log in, there'll always be this little section that was called "Group Resources" — maybe the school wanted to post the student handbook, or they want to post the school schedule, but it's basically resources that the school can publish to students and teachers or parents. And what I found was that as a student, I could actually post these "Group Resources" myself.

Rath: And you did try to alert Follett to the problem, right?

Demirkapi: Yes. So Follett didn't really have a security contact, so it was really difficult to get in touch with them. Also at this time, I was in tenth grade, and I had basically no experience, so I had no idea when the vendor doesn't listen to me, what do I do? And so it just really was difficult to try to find a way to pass along these vulnerabilities that I thought were mildly serious. And so after not being able to get in touch with Follett, I did something mildly immature, and I actually made a "Group Resource." And so I sent out a message that said, "Hi there. Bill Demirkapi was here. Follett Corporation has no security. Here are your cookies. No worries, I didn't steal them."

Rath: How did the company, and how did the school react to that?

Demirkapi: So anyone who had the app installed actually got a notification that this "Group Resource" was published. Their reaction was obviously not that happy, understandably. I don't know how happy I'd be if some student did this. And they took it pretty seriously, and unfortunately I did get suspended for two days. The school's argument was that a lot of parents got concerned about it, so I created a major disruption.

Rath: But things did smooth out. Everyone came around to appreciating what you found, and there was more to find still, right?

Demirkapi: Yeah, in a way. About a semester later, I went to my principal and I said, "Hey, I want to disclose these vulnerabilities responsibly." They actually set up a meeting within a week with Follett, and then we were able to disclose the vulnerabilities and get them patched in a reasonable time frame.

Rath: Do you feel like it's pretty secure? Like as a parent now, can I ask you, how secure is it when I'm logging in?

Demirkapi: Those set of vulnerabilities got patched, but the files system stuff, I hadn't even discovered yet at this point. So starting in senior year, that's when I actually found the big vulnerabilities regarding having access to the server's file system. The Follett application is run on a web server, and so what I had access to was actually being able to access that web server's files. So that means that anything that Aspen could access on a server, I could access that file as well. And it was really interesting to see this, because it seemed that they used one server for a lot of different schools. And so just having that access could have been pretty detrimental, had it been a bad actor or a nation-state.

Rath: And for people who aren't familiar with the world of hacking, this is actually a thing — people who go and find vulnerabilities, not to steal information, but to let people know, 'Hey, these are vulnerabilities, you should fix them.'

Demirkapi: Yeah, absolutely. People will test companies as a penetration tester and try to act like the bad guy, so that the company can fix these vulnerabilities to make the company stronger. So that when there's a real attacker, someone that actually has malicious intent, then they're ready for it, and they've considerably lowered the places that they could be attacked from.

Rath: It's a lot of potentially scary stuff. Bill, I'm happy you're on the good side.

Demirkapi: Yeah, absolutely. I'm happy too.