A few short decades ago, the archetypal hacker was a bored teenager breaking into his school's network to change grades, à la Ferris Bueller. So today, when cybersecurity has become the domain of state-sponsored spy agencies and multibillion-dollar companies, it may be refreshing to know that the high school hacker lives on—as do the glaring vulnerabilities in school software.

At the Defcon hacker conference in Las Vegas today, 18-year-old Bill Demirkapi presented his findings from three years of after-school hacking that began when he was a high school freshman. Demirkapi poked around the web interfaces of two common pieces of software, sold by tech firms Blackboard and Follett and used by his own school. In both cases, he found serious bugs that would allow a hacker to gain deep access to student data. In Blackboard's case in particular, Demirkapi found 5 million vulnerable records for students and teachers, including student grades, immunization records, cafeteria balance, schedules, cryptographically hashed passwords, and photos.

Demirkapi points out that if he, then a bored 16-year-old motivated only by his own curiosity, could so easily access these corporate databases, his story doesn't reflect well on the broader security of the companies holding millions of students' personal information."The access I had was pretty much anything the school had," Demirkapi says. "The state of cybersecurity in education software is really bad, and not enough people are paying attention to it."

5,000 Schools, 5 Million Records

Demirkapi found a series of common web bugs in Blackboard's Community Engagement software and Follett's Student Information System, including so-called SQL-injection and cross-site-scripting vulnerabilities. For Blackboard, those bugs ultimately allowed access to a database that contained 24 categories of data, everything from phone numbers to discipline records, bus routes, and attendance records—though not every school seemed to store data in every field. Only 34,000 of the records included immunization history, for instance. More than 5,000 schools appeared to be included in the data, with roughly 5 million individual records in total, including students, teachers, and other staff.

In Follett's software, Demirkapi says he found bugs that would have given a hacker access to student data like grade point average, special education status, number of suspensions, and passwords. Unlike in Blackboard's software, those passwords were stored unencrypted, in fully readable form. By the time Demirkapi had gained that level of access to Follett's software, however, he was two years into his hacking escapades and slightly better informed about legal dangers like the Computer Fraud and Abuse Act, which forbids gaining unauthorized access to a company's network. So while he says he checked the data about himself and a friend who gave him permission, to verify that the bugs led to access, he didn't explore further or enumerate the total number of vulnerable records, as he had with Blackboard. "I was a little stupider in the 10th grade," he says of his earlier explorations.

When WIRED reached out to Blackboard and Follett, Follett's senior vice president of technology George Gatsis expressed his thanks to Demirkapi for helping the company identify its bugs, which he says were fixed by July of 2018. "We were happy to work with Bill and grateful he was wiling to work through those things with us," Gatsis says. But Gatsis also claimed that even with the security flaws he exploited, Demirkapi could never have accessed Follett data other than his own. Demirkapi counters that he "100 percent had access to other people’s data," and says he even showed Follett's engineers the password of the friend who had let him access his information.

Blackboard also thanked Demirkapi, but argued that based on its analysis no one else had accessed those records through the vulnerability he exposed. "We commend Bill Demirkapi for bringing these vulnerabilities to our attention and for striving to be part of a solution to improve our products' security and protect our client’s personal information," reads a statement from a Blackboard spokesperson. "We have addressed several issues that were brought to our attention by Mr. Demirkapi and have no indication that these vulnerabilities were exploited or that any clients’ personal information was accessed by Mr. Demirkapi or any other unauthorized party.

Advanced Persistent Teen

Demirkapi says he started digging up the two companies' security flaws out of a combination of teenage boredom and an ambition to learn more about cybersecurity and web-based hacking. "I have a passion to, I guess, break things," Demirkapi says. "I really wanted to learn about web application testing, so I thought, well, how cool would it be to test on my own school’s grading system?"