Serbian developers discover serious security breach
Some time ago, Serbian Ministry of education decided to give parents the access to information on their kids’ school grades. What they did was basicaly allowed every parent who applied to get a code and then log on to an online secure portal where they could see just how much their kids were lying to them about straight A’s, or even recieve notifications via a text message.
I won’t go into the ethics of this decision, let’s just say it has been discussed a lot here without coming to terms whether it’s good to take away kids’ right to lie or not. Personaly I pity the poor little bastards. I’ve never heard of this kind of system implemented anywhere else abroad, so please inform me if you are aware of anything similar.
But the main subject of this post is what was discovered tonight on DevProTalk (Serbian developers’ comunity) by a forum member: that the security system of the site was done pretty bad, and that anyone with a bit higher level of knowledge in server technologies could easily see phones, home addresses and grades of all children listed in the system so far. Apparently the coding of the security systems was done as poorly as the webdesign of the site itself. Good thing is that the Serbian Internet comunity is not so lame and slow after all, that this breach is discovered on time, and that the story will probably hit the mass medias tomorrow or day after tomorrow so that the system can be enhanced and fixed (or even better, cancelled).
Tweet
Serbian twitter community deface and ridicule government website
Coworking space in Belgrade – the birth of “Cvoriste101″
It’s been a regular practice in Canada ( well, at least in Ontario) for a few years now. It’s also being done in some states in US – it’s largely a decision of the individual school board. Parents love it. Kids probably hate it.There are pros and cons but for the most part I think it’s a good tool that will help parents stay in touch with their kids’ education and allow for timely intervention where it’s required. The assumption is, of course, that the system is protected and secure. I had no idea they were doing it in Serbia too.
They started with this only recently. I didn’t even know about it until I saw this news about a security hole.