Just finished a large write up on a security flaw I found and disclosed in an exam spyware vendor's "zero knowledge encryption" - derived keys that were generated from incrementing integers, discussion on obfuscation and more.

It was a hell of a time writing this up; not sure if linking my personal blog here would be bad practice, but here it is: https://proctor.ninja/wave-rake-pro...

It's been something else, but hopefully I can keep fighting against tech like this on school campuses.

Very well written. Has more than enough fluff to make it readable and not dry/highly technical as the preface warns.

You caught on with the symmetric key only solution, something any audit should have flagged. You did a good job. The fix should be forced on new customers but as it requires action on the users part (supplying a public key) it's hard to make it default for existing customers.

Marketing comes up with "fort Knox it" on order to make it seem they already provide adequate security. High chance they won't force existing customers or even inform them to migrate to the fix.

What student data gets disclosed by this flaw?

Nice catch.

I don't know if I would do responsible disclosure on this - it is spyware, not more, not less. Certainly I wouldn't have helped the local banking trojan's vendor...
Interestingly, this is not the first vulnerability in this component (e.g. insecure random was used).

@sbiewald It *is* spyware, but I went the responsible disclosure route because of the consent dynamic here - if people were wilfully ignorant of the risks (such as with video game "anti cheat" DRM), for just playing shiny new game, that's on them.

But, given that, security issue or not, students are being forced to use such services and not given an alternative, I did what I thought would be best for students. (Which is also why I didn't give advance notice on some other stuff, like the open source libraries I found used in code. Goal was to help students, not do the company's job for them.)

I've been working with student orgs and trying to organise for pushback against these services, but it has been difficult.

@hjk101 Everything they store. Depending on configurations, may include government ID, room panoramas, signatures, etc.