Application Security // Database Security
7/19/2013
05:29 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

Edmodo Upgrades Student, Teacher Security, After Criticism

Network engineer and parent who complained of Edmodo's inadequate use of SSL encryption says "they've made a few million kids a lot safer."

7 Ways To Create E-Portfolios
7 Ways To Create E-Portfolios
(click image for larger view)
Edmodo, the educational social software site for teachers, students and parents, has filled a hole in its website security that could have provided an opening for hackers.

As of late last week, visitors to edmodo.com were getting a connection that uses Secure Sockets Layer encryption -- the https, rather than http, version of the Hypertext Transport Protocol. Previously, the use of https was not as consistent. Edmodo encrypted access to its log-in page, but after log in, users would not necessarily get an encrypted connection while using the website, which among other things is used for communication between teachers and their students. School districts could configure their networks to automatically redirect browser traffic to an https address, but a teacher accessing the site from home wouldn't get an encrypted connection -- not without manually changing the http to https every time she signed on to edmodo.com.

Without complete encryption, it's possible for an attacker to intercept communications with the website -- for example, over a wireless connection at a coffee shop -- and then capture key data such as the session cookie used to identify a user to a Web application after the initial log in. The attacker could then use the cookie to impersonate an authorized user without needing the user's log-in information.

[ Is too much technology in education dangerous? Read Ed Tech, Privatization And Plunder. ]

"If you don't protect the session cookie, you're vulnerable to the creepy guy who grabs that cookie and starts looking around," said Tony Porterfield, a networking hardware engineer who made an issue of Edmodo's lax security, initially taking his story to The New York Times.

When Edmodo's spotty use of encryption came to light in June, the company said the encryption issue would be addressed as part of a July 15 upgrade to the service. It arrived a few days later than that, following a wave of feature and design updates.

Porterfield said he wouldn't quibble about a delay of a few days. "It's a big step forward, really great," he said in an interview. After reviewing all the sections of the website that concerned him previously, he said he was convinced that they are properly protected now. The only thing that still concerns him is that the educational apps promoted through the Edmodo app store do not all meet the same standard and some of them have access to Edmodo data through APIs.

Still, it's progress. "I'm encouraged that they, in fairly short order, did turn it around. They've made a few million kids a lot safer by what they did," Porterfield said.

Edmodo notified me when the SSL feature went live, and I've asked for an interview on their latest updates. Edmodo CEO Crystal Hutter exchanged phone and email messages with me late Friday, but we did not connect. Previously, she has stressed that Edmodo had planned to move to full encryption this year all along and didn't do it sooner partly because encryption adds network and computing overhead -- a problem for some schools with older PCs and limited bandwidth.

Edmodo has a reputation as a valuable tool for teachers, functioning as a social network for professional development and sharing curriculum ideas and materials, while also providing a way to communicate with students and parents. Although the company doesn't promote its product as a learning management system per se, it does provide tools for posting homework assignments and online quizzes, as well as a grade book module and course calendar.

"I know my neighbor's kids love it, and the school loves it and what it provides," Porterfield said. Although he sees some irony in the way Edmodo has been promoting itself as the secure alternative to public social media sites such as Facebook, he also sees how it could be considered "safe and secure based on some legitimate things."

For example, Edmodo's system is structured so teachers have access to information and communications about only their own students. Although it's possible for members of the general public to set up an account -- both Porterfield and I have set up accounts in the guise of home school teachers -- a member of the site can't simply troll through student records the way a child predator might want to. The scheme for authorized access makes good sense, Porterfield said. It was the potential for unauthorized access that concerned him.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

CVE-2014-3024
Published: 2014-08-29
Cross-site request forgery (CSRF) vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.12 and 7.5 through 7.5.0.6 and Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk allows remote authenticated users to hijack the authentication of arbitr...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.