Cyberattack could target Univ. Amsterdam via customized Blackboard software

University of Amsterdam logo
University of Amsterdam logo. (Photo: Wikimedia Commons)

The modified version of Blackboard software used by the University of Amsterdam contains major security vulnerabilities that can easily be exploited by cyber attackers, according to two students at the university who researched this as part of their studies, reports.

According to students Bram ter Borch and Auke Zwaan, they shared these vulnerabilities with the university's IT department in May last year, but the department did not do enough to fix the problems. So the students decided to make their findings public.

They found that the modified Blackboard version used by UvA students and lecturers to login has some obvious security risks. For example, after logging in, users are redirected to an unencrypted website, which can easily be taken over by hackers. 

Entered passwords are also poorly encrypted and poorly protected. For example, there was no limit on the number of login attempts from one IP address. And you could change your password without entering the old password. 

Using their own Blackboard accounts, the two students managed to get hold of a list of details for 143 thousand accounts - including name, surname and email address. Many of these accounts' passwords were the same as the username. With that knowledge Ter Borch and Zwaan could access almost 11 thousand accounts, including a test account that has access to almost the entire Blackboard environment. 

The students also managed to install malware on popular pages, such as the introduction page for a particular subject, with which they could take over accounts of the visitors. 

In response to the published study, UvA spokesperson Annelies van Dijk said that the Blackboard software was upgraded in the summer of 2016 and regular patches are installed. "With these kinds of updates we try to prevent these kinds of holes", he said accorrding to the enwspaper. Van Dijk acknowledged that not all the vulnerabilities in the study have been fixed, but denies the students' accusation that the university did not take their findings seriously. "It has our continuous attention."