I created a custom interface for an LMS that allows students to see their marks even if they haven't been 'shared' yet by their teachers. This is all done without accessing any unauthorized apis, as the LMS always returns all student marks and then hides the ones with a False 'shared' key. School administration caught me, so I've now shut it down. I have a meeting with the deans tomorrow. Any advice? (Again, this is all done using existing methods found within this LMS)

  • 1
    Play it down, you only thought you were using "available" interactions and not trying to "exploit" anything. Making something convenient, use that you masked then stopped it as part of the defense to back that.
  • 1
    Under no circumstances should you do what I did and tell them to secure their shit better
  • 1
  • 2
    Say that you wanted to make a cooler UI, but you didn't know how to hide the not shred ones, as you are (of course) only experienced in UI design :D
  • 0
    "School administration caught me" - well I'd say you caught them. Just don't tell them that. You should've emailed them about there bad architecture instead of making a cool ui if you did not want the possibility of trouble...
Add Comment