Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

7/19/2013
05:29 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

Edmodo Upgrades Student, Teacher Security, After Criticism

Network engineer and parent who complained of Edmodo's inadequate use of SSL encryption says "they've made a few million kids a lot safer."

7 Ways To Create E-Portfolios
7 Ways To Create E-Portfolios
(click image for larger view)
Edmodo, the educational social software site for teachers, students and parents, has filled a hole in its website security that could have provided an opening for hackers.

As of late last week, visitors to edmodo.com were getting a connection that uses Secure Sockets Layer encryption -- the https, rather than http, version of the Hypertext Transport Protocol. Previously, the use of https was not as consistent. Edmodo encrypted access to its log-in page, but after log in, users would not necessarily get an encrypted connection while using the website, which among other things is used for communication between teachers and their students. School districts could configure their networks to automatically redirect browser traffic to an https address, but a teacher accessing the site from home wouldn't get an encrypted connection -- not without manually changing the http to https every time she signed on to edmodo.com.

Without complete encryption, it's possible for an attacker to intercept communications with the website -- for example, over a wireless connection at a coffee shop -- and then capture key data such as the session cookie used to identify a user to a Web application after the initial log in. The attacker could then use the cookie to impersonate an authorized user without needing the user's log-in information.

[ Is too much technology in education dangerous? Read Ed Tech, Privatization And Plunder. ]

"If you don't protect the session cookie, you're vulnerable to the creepy guy who grabs that cookie and starts looking around," said Tony Porterfield, a networking hardware engineer who made an issue of Edmodo's lax security, initially taking his story to The New York Times.

When Edmodo's spotty use of encryption came to light in June, the company said the encryption issue would be addressed as part of a July 15 upgrade to the service. It arrived a few days later than that, following a wave of feature and design updates.

Porterfield said he wouldn't quibble about a delay of a few days. "It's a big step forward, really great," he said in an interview. After reviewing all the sections of the website that concerned him previously, he said he was convinced that they are properly protected now. The only thing that still concerns him is that the educational apps promoted through the Edmodo app store do not all meet the same standard and some of them have access to Edmodo data through APIs.

Still, it's progress. "I'm encouraged that they, in fairly short order, did turn it around. They've made a few million kids a lot safer by what they did," Porterfield said.

Edmodo notified me when the SSL feature went live, and I've asked for an interview on their latest updates. Edmodo CEO Crystal Hutter exchanged phone and email messages with me late Friday, but we did not connect. Previously, she has stressed that Edmodo had planned to move to full encryption this year all along and didn't do it sooner partly because encryption adds network and computing overhead -- a problem for some schools with older PCs and limited bandwidth.

Edmodo has a reputation as a valuable tool for teachers, functioning as a social network for professional development and sharing curriculum ideas and materials, while also providing a way to communicate with students and parents. Although the company doesn't promote its product as a learning management system per se, it does provide tools for posting homework assignments and online quizzes, as well as a grade book module and course calendar.

"I know my neighbor's kids love it, and the school loves it and what it provides," Porterfield said. Although he sees some irony in the way Edmodo has been promoting itself as the secure alternative to public social media sites such as Facebook, he also sees how it could be considered "safe and secure based on some legitimate things."

For example, Edmodo's system is structured so teachers have access to information and communications about only their own students. Although it's possible for members of the general public to set up an account -- both Porterfield and I have set up accounts in the guise of home school teachers -- a member of the site can't simply troll through student records the way a child predator might want to. The scheme for authorized access makes good sense, Porterfield said. It was the potential for unauthorized access that concerned him.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.