juvenile delinquent: the official guide on how to hack schoolloop
by kunal agarwal
FROM a very young age, I had always liked to tinker. understand, exploit, reward, repeat.
Most of the time this meant things like:
- modding Halo to always win
- pirating movies back in 2001
- sell pirated GameBoy games on floppy disks in second grade (20$ / each)
And it gave me the most awesome high.
BUT WHEN I was fifteen years old, I took things to a bit of a new level. Rules and barriers were made to jump around, and the natural next step was to take a look at this shiny new toy founded, & unveiled, at Evergreen Valley High School.
I’m sure this is a familiar page to most of you.
This became the engine of almost a thousand schools by my third year in high school. For those of you unfamiliar with Schoolloop, it is a grading, homework/agenda website. It even pushes grades downstream to SASI — Schools Administrative Student Information systems, where your attendance, class selection, transcripts, etc were generated.
Basically: Your grade on Schoolloop becomes the grade on your transcript. It was a very innovative and inspiring concept, and revolutionized a lot of a schools’ web presence in this technology centric world we know today.
Alright Kunal, let’s get to the point.
The truth is… Schoolloop was (& still is) fucked. The amount of vulnerabilities on this site would make Sony look like an impenetrable fortress. It was without a doubt the least secured website for the amount of personal information on it.
Exactly six years ago, I decided to use Schoolloop as a real-world website for learning about network security. A lot happened after this, and unfortunately, I couldn’t speak about it until now when my lawyer okayed me because of the statute of limitations.
So, I’ve eloquently summarized my experience and what I learned in this article, and without further ado, introducing:
1. The Vulnerability Disclosure
Everything is simple when you’ve seen the solution, so let’s start with the problem. A user gets a login screen and they’re essentially stuck in front of a security guard; that is, unless you know the username and password. So how does he get into an account that doesn’t belong to him?
That would depend on how smart the security guard at the login screen is.
Option 1: Steal another User
There is a concept of remote administration trojans. These are programs that run on a victim’s machine and allow you to do some crazy stuff (Activate Webcam, Keystroke Logging, Upload Files etc)
Naturally, these programs have to be ingested and executed on the victim’s machine. Getting someone to run this secretly is quite bold. It is a direct violation of someone’s privacy and quite personal for sure. You would use the trojan to record keystrokes. Every key you tap on your computer will be logged and uploaded back to the attacker.
The result is the username and password coming back to you the next time a victim logs in. This can be adapted in many ways to trick the victim to running the program.
Hi, here is the pdf of my homework assignment, please open it. Oh it doesn’t work? Hm, that’s weird. Let me send it again.
I didn’t really go down this route.
Option 2: Sneak past the gatekeeper
Alternatively, we have to see how smart this gatekeeper really is. As I mentioned earlier, there are soooooo many vulnerabilities past and present, but we will only go over those that are for sure patched/non-existant…
At least, I would hope.
Method 1: Kunal’s auto_login Cookie Manipulation Privilege Escalation
So this one was my personal favorite, because it’s relatively simple to understand.
- Kunal’s (It is my Discovery)
- auto_login (cookie we will fuck with)
- privilege escalation (access any user account)
So just a refresher: ANY website you access on the web formulates a series of cookies on your local machine. These cookies contain parameters that the website reads and decides things about a user (usually the session). In Schoolloops case:
GET http://evhs.schoolloop.com/portal/login
auto_login: false
SLID: 1232325874409
Username: kagarwal
The Response would be: redirect to login screen
Ok Kunal, let’s use some brain here. How about this?
GET http://evhs.schoolloop.com/portal/login
auto_login: true
SLID: 1232325874409
Username: cvaeth
The Response would be: Success, you are now logged into Schoolloop!
Oh my days. Really? Well hell, that was easy. Suddenly I had access to Ms. Vaeth’s account. (High School Principal)
I wish I had screenshots of this, because from here we could actually navigate through this one admin account to any other account in the tenant high school.
From there, you could actually reset another administrators password so that you can always have a handy dandy account in case they fix this vulnerability. :)
Method 2: Kunal’s predictable session IDs
I know. The last exploit was lame. You changed false to true. Big deal. So after you would send those logins requests we talked about earlier, Schoolloop would assign you a JSESSIONID.
JSESSIONID is how Schoolloop knows you are still the same person to be authenticated. It’s like a signed token that used to be 10 characters long, like: acrx85cn00.
Long story short, we could actually grab these from the wireless networks at school. This is why everyone always says to use HTTPS all the time. People can steal your session and start masquerading as you.
There was one more massive vulnerability, and that was the ability to predict these sessions. I had created a script to generate various Session IDs and hit the server to see if any are valid. This ran during the day time, (only teachers would be online) which means you would always get a privileged account. From there you could pivot to anyone you wanted to be.
It’s been a really long time since this all happened, and I can’t remember the exact web framework that they used (it was Java), so I’m sorry I cannot give the specifics.
2. Juvenile Delinquency
On a somber note, my intent to do this was always to learn. I always studied very hard, so I didn’t really feel the need to change my grades or anything like that. It was all fun and games.
That changed when the administration didn’t find it so funny that someone had guessed (keylogged, maybe?) their teachers’ computer about a year after I started snooping around.
I used to use this as a test system for learning, so naturally when they started combing the logs they found that some of my logins (stupid me) were very close to teachers’ logins.
They brought in about 20 people with similar cases, and without them even asking, me being the sorry guy told them everything. How I had gone into Schoolloop, used my love for computers to actually get into the accounts of all these different users. I mentioned how sorry I was and that I didn’t have any bad intentions here. Just a kid being a kid.
Unfortunately for me, I never watched much TV in high school, and I didn’t realize that interrogators lie … a lot. So when the guy said, “just come clean, we will make sure nothing happens to you”. He was fucking lying through his teeth. This school police officer, who finally got some action in his life, rose a shitstorm, handcuffed me, locked me in a room for 12 hours, and had all of the administration do everything they can to make my life hell including:
- Prosecution from the DA
- Expulsion so that I wouldn’t see my friends again
- Emailing all teachers (not just mine) about the incident and my personal information (this part’s actually illegal)
- And more…
Seriously? I really think this was overkill.
So what have I learned from this experience? The first three rules of life:
Deny, Deny, Deny.
Haha, just kidding — although if I had denied it I would have gotten away with everything. Lucky for me, the DA saw that me going to juvenile hall was probably not a good use of time or resources, and probably wouldn’t teach me much at all. I might have even gotten worse!
So I got put in to a diversion program that would ensure that as long as I kept out of trouble I would be alright from a legal perspective.
3. Aftermath
I learned a lot from the aftermath of this fiasco. My 12th grade teacher once kicked me out of her class just for my history. This may not seem like much now, but for a kid I just felt disenfranchised. I just wanted to learn, succeed and put this behind me, but they were depriving me of even that. The counselors wouldn’t write me recommendations, the principal even got me temporarily expelled for a second time! (I didn’t even do anything this time!)
But through the trudges and chills of certain individuals, there were others who supported and guided me to a better path. A couple of my old high school friends (Jamie, Alicia) kept in touch and I made some new ones as well. Some teachers (like my Physics teacher Mr Lubbs, and my Chemistry teacher Mr Cervantes) actually supported me in creating a credit card security science fair project. With their support and my work throughout the year, I became a finalist at the Intel ISEF (International Science Fair)! My PE teacher Mr Bean (RIP) coached me to get through these hard times where teachers would mock me and give me bad grades on purpose.
In a time where I felt like the entire world was against me, I realized everyone has people around them to lend a hand.
Though arduous times were about, by the end of high school, I was pretty proud of myself. I had founded a non-profit Infotech Outreach to teach senior citizens how to use computers, and I was set to attend UC Berkeley under the Regents and Chancellors Scholarship.
I guess the story has a happy ending. There’s so many morals to this story could have, but whats the point of reading all those books in high school if you can’t figure them out for yourself ;)
— Kunal.
