Application Security // Database Security
7/19/2013
05:29 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

Edmodo Upgrades Student, Teacher Security, After Criticism

Network engineer and parent who complained of Edmodo's inadequate use of SSL encryption says "they've made a few million kids a lot safer."

7 Ways To Create E-Portfolios
7 Ways To Create E-Portfolios
(click image for larger view)
Edmodo, the educational social software site for teachers, students and parents, has filled a hole in its website security that could have provided an opening for hackers.

As of late last week, visitors to edmodo.com were getting a connection that uses Secure Sockets Layer encryption -- the https, rather than http, version of the Hypertext Transport Protocol. Previously, the use of https was not as consistent. Edmodo encrypted access to its log-in page, but after log in, users would not necessarily get an encrypted connection while using the website, which among other things is used for communication between teachers and their students. School districts could configure their networks to automatically redirect browser traffic to an https address, but a teacher accessing the site from home wouldn't get an encrypted connection -- not without manually changing the http to https every time she signed on to edmodo.com.

Without complete encryption, it's possible for an attacker to intercept communications with the website -- for example, over a wireless connection at a coffee shop -- and then capture key data such as the session cookie used to identify a user to a Web application after the initial log in. The attacker could then use the cookie to impersonate an authorized user without needing the user's log-in information.

[ Is too much technology in education dangerous? Read Ed Tech, Privatization And Plunder. ]

"If you don't protect the session cookie, you're vulnerable to the creepy guy who grabs that cookie and starts looking around," said Tony Porterfield, a networking hardware engineer who made an issue of Edmodo's lax security, initially taking his story to The New York Times.

When Edmodo's spotty use of encryption came to light in June, the company said the encryption issue would be addressed as part of a July 15 upgrade to the service. It arrived a few days later than that, following a wave of feature and design updates.

Porterfield said he wouldn't quibble about a delay of a few days. "It's a big step forward, really great," he said in an interview. After reviewing all the sections of the website that concerned him previously, he said he was convinced that they are properly protected now. The only thing that still concerns him is that the educational apps promoted through the Edmodo app store do not all meet the same standard and some of them have access to Edmodo data through APIs.

Still, it's progress. "I'm encouraged that they, in fairly short order, did turn it around. They've made a few million kids a lot safer by what they did," Porterfield said.

Edmodo notified me when the SSL feature went live, and I've asked for an interview on their latest updates. Edmodo CEO Crystal Hutter exchanged phone and email messages with me late Friday, but we did not connect. Previously, she has stressed that Edmodo had planned to move to full encryption this year all along and didn't do it sooner partly because encryption adds network and computing overhead -- a problem for some schools with older PCs and limited bandwidth.

Edmodo has a reputation as a valuable tool for teachers, functioning as a social network for professional development and sharing curriculum ideas and materials, while also providing a way to communicate with students and parents. Although the company doesn't promote its product as a learning management system per se, it does provide tools for posting homework assignments and online quizzes, as well as a grade book module and course calendar.

"I know my neighbor's kids love it, and the school loves it and what it provides," Porterfield said. Although he sees some irony in the way Edmodo has been promoting itself as the secure alternative to public social media sites such as Facebook, he also sees how it could be considered "safe and secure based on some legitimate things."

For example, Edmodo's system is structured so teachers have access to information and communications about only their own students. Although it's possible for members of the general public to set up an account -- both Porterfield and I have set up accounts in the guise of home school teachers -- a member of the site can't simply troll through student records the way a child predator might want to. The scheme for authorized access makes good sense, Porterfield said. It was the potential for unauthorized access that concerned him.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5619
Published: 2014-09-29
The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file system entries in FAT file systems and other file systems for which . is not a reserved name, which allows local users to hide activities it more difficult to conduct forensics activities, as demonstrated by Flame.

CVE-2012-5621
Published: 2014-09-29
lib/engine/components/opal/opal-call.cpp in ekiga before 4.0.0 allows remote attackers to cause a denial of service (crash) via an OPAL connection with a party name that contains invalid UTF-8 strings.

CVE-2012-6107
Published: 2014-09-29
Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2012-6110
Published: 2014-09-29
bcron-exec in bcron before 0.10 does not close file descriptors associated with temporary files when running a cron job, which allows local users to modify job files and send spam messages by accessing an open file descriptor.

CVE-2013-1874
Published: 2014-09-29
Untrusted search path vulnerability in csi in Chicken before 4.8.2 allows local users to execute arbitrary code via a Trojan horse .csirc in the current working directory.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.