Application Security // Database Security
7/19/2013
05:29 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

Edmodo Upgrades Student, Teacher Security, After Criticism

Network engineer and parent who complained of Edmodo's inadequate use of SSL encryption says "they've made a few million kids a lot safer."

7 Ways To Create E-Portfolios
7 Ways To Create E-Portfolios
(click image for larger view)
Edmodo, the educational social software site for teachers, students and parents, has filled a hole in its website security that could have provided an opening for hackers.

As of late last week, visitors to edmodo.com were getting a connection that uses Secure Sockets Layer encryption -- the https, rather than http, version of the Hypertext Transport Protocol. Previously, the use of https was not as consistent. Edmodo encrypted access to its log-in page, but after log in, users would not necessarily get an encrypted connection while using the website, which among other things is used for communication between teachers and their students. School districts could configure their networks to automatically redirect browser traffic to an https address, but a teacher accessing the site from home wouldn't get an encrypted connection -- not without manually changing the http to https every time she signed on to edmodo.com.

Without complete encryption, it's possible for an attacker to intercept communications with the website -- for example, over a wireless connection at a coffee shop -- and then capture key data such as the session cookie used to identify a user to a Web application after the initial log in. The attacker could then use the cookie to impersonate an authorized user without needing the user's log-in information.

[ Is too much technology in education dangerous? Read Ed Tech, Privatization And Plunder. ]

"If you don't protect the session cookie, you're vulnerable to the creepy guy who grabs that cookie and starts looking around," said Tony Porterfield, a networking hardware engineer who made an issue of Edmodo's lax security, initially taking his story to The New York Times.

When Edmodo's spotty use of encryption came to light in June, the company said the encryption issue would be addressed as part of a July 15 upgrade to the service. It arrived a few days later than that, following a wave of feature and design updates.

Porterfield said he wouldn't quibble about a delay of a few days. "It's a big step forward, really great," he said in an interview. After reviewing all the sections of the website that concerned him previously, he said he was convinced that they are properly protected now. The only thing that still concerns him is that the educational apps promoted through the Edmodo app store do not all meet the same standard and some of them have access to Edmodo data through APIs.

Still, it's progress. "I'm encouraged that they, in fairly short order, did turn it around. They've made a few million kids a lot safer by what they did," Porterfield said.

Edmodo notified me when the SSL feature went live, and I've asked for an interview on their latest updates. Edmodo CEO Crystal Hutter exchanged phone and email messages with me late Friday, but we did not connect. Previously, she has stressed that Edmodo had planned to move to full encryption this year all along and didn't do it sooner partly because encryption adds network and computing overhead -- a problem for some schools with older PCs and limited bandwidth.

Edmodo has a reputation as a valuable tool for teachers, functioning as a social network for professional development and sharing curriculum ideas and materials, while also providing a way to communicate with students and parents. Although the company doesn't promote its product as a learning management system per se, it does provide tools for posting homework assignments and online quizzes, as well as a grade book module and course calendar.

"I know my neighbor's kids love it, and the school loves it and what it provides," Porterfield said. Although he sees some irony in the way Edmodo has been promoting itself as the secure alternative to public social media sites such as Facebook, he also sees how it could be considered "safe and secure based on some legitimate things."

For example, Edmodo's system is structured so teachers have access to information and communications about only their own students. Although it's possible for members of the general public to set up an account -- both Porterfield and I have set up accounts in the guise of home school teachers -- a member of the site can't simply troll through student records the way a child predator might want to. The scheme for authorized access makes good sense, Porterfield said. It was the potential for unauthorized access that concerned him.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1449
Published: 2014-12-25
The Maxthon Cloud Browser application before 4.1.6.2000 for Android allows remote attackers to spoof the address bar via crafted JavaScript code that uses the history API.

CVE-2014-2217
Published: 2014-12-25
Absolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value.

CVE-2014-3971
Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

CVE-2014-7193
Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

CVE-2014-7300
Published: 2014-12-25
GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to execute arbitrary commands on an unattended workstation by making many PrtSc requests and leveraging a ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.