Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
hjk101292325dVery well written. Has more than enough fluff to make it readable and not dry/highly technical as the preface warns.
You caught on with the symmetric key only solution, something any audit should have flagged. You did a good job. The fix should be forced on new customers but as it requires action on the users part (supplying a public key) it's hard to make it default for existing customers.
Marketing comes up with "fort Knox it" on order to make it seem they already provide adequate security. High chance they won't force existing customers or even inform them to migrate to the fix.
What student data gets disclosed by this flaw?
I don't know if I would do responsible disclosure on this - it is spyware, not more, not less. Certainly I wouldn't have helped the local banking trojan's vendor...
Interestingly, this is not the first vulnerability in this component (e.g. insecure random was used).
Oxylibrium29521d@sbiewald It *is* spyware, but I went the responsible disclosure route because of the consent dynamic here - if people were wilfully ignorant of the risks (such as with video game "anti cheat" DRM), for just playing shiny new game, that's on them.
But, given that, security issue or not, students are being forced to use such services and not given an alternative, I did what I thought would be best for students. (Which is also why I didn't give advance notice on some other stuff, like the open source libraries I found used in code. Goal was to help students, not do the company's job for them.)
I've been working with student orgs and trying to organise for pushback against these services, but it has been difficult.
amahlaka61Me Vs a PHP teacher Him: And to do login, we just do SELECT username WHERE password = (userinput) Me: ...
marci01010147Best quotes from IT teacher: - "C# is a language to program your IDE." - "C# is a language for beginners, and...
PieInOblivion13I once brought my Kali Linux laptop to school. (Because normal had dead battery, waiting for shipping) MFW so...