The Australian SC Magazine, along with security professionals and an unnamed Australian university, has uncovered several major security flaws in the learning management system Blackboard. The magazine reports that the security holes could allow students to change grades and download restricted materials (such as unpublished exams) and could expose them to identity theft.
The vulnerabilities were discovered when the the university hiredSecurus Global to test the security of the Blackboard software. During these tests, Securus Global was able to gain administrative access to databases in which exams, assignments, and grades were stored. The company was also able to access student's personal data.
According to SC Magazine, these problems exist in all versions of the Blackboard Learn system, even the recently releasedversion. This latest version doesn't eradicate the security flaws although it would make these particular exploits more difficult. However, many schools are using older and more vulnerable versions of Blackboard.
SC Magazine contacted Blackboard for comment, and cites Blackboard Learn security director Stephanie Tan saying that the vulnerabilities it had uncovered were not "highly critical."
We are not aware of any institution's academic or student data having been compromised in any way by these issues, Tan told the magazine. Many of these issues are common issues associated with any type of web application or software, and all of the issues will be addressed through existing patches and planned releases. Tan said those vulnerabilities will remain until Blackboard releases its next service pack update, scheduled to come prior to the end of the year."
The Australian university that requested the initial security investigation into Blackboard says that it has been trying to get the LMS to address the issues for months, but with no response. Blackboard rebuts those claims, saying it has been in contact with its customers since the vulnerability was initially logged back in July.
For its part, the university says that the lack of response from Blackboard prompted it to escalate the problem to AusCERT, a non-profit organization that provides security information to the Australian public. AusCERT told SC Magazine that it was prepared to issue a security alert to its network.
But after SC Magazine published its story yesterday, Blackboard took further action, saying that it would issue an alert to its customers with information about the security issues and the company's plans to patch them.
In a statement, Blackboard said, "The majority of the issues were known issues responsibly reported by other institutions and security researchers, and for which Blackboard has commenced remediation for release to the larger client base as part of our standard operating procedure. The company also indicatedit's still investigating at least one vulnerability discovered by the Australian security team.
Although Blackboard remains the most popular learning management system, its market share has declined in recent years as universities explore other solutions. Blackboard has long suffered from user complaints, and while the company has said that customer satisfaction is increasing, these latest security flaws -- and the slow response in addressing them -- certainly won't help the company retain its clients.