I just found that the school’s SMS system, which contains all the sensitive and private information of almost every students and personnel in our school, including accounts that can directly change the students’ scores, is highly vulnerable.

First of all, no ssl certificates are used. That means all the password and content are delivered directly without any encryption. That means…Well, this is what I got on my account:

Any time if our traffic are sniffered in any of the routers it routes through, all the passwords and contents in the pages will be leaked.

Second of all, the side does not limit attempts to enter wrong passwords. That means, with a little amount of time and it will be possible to try out passwords of teachers with a small script.
Here is a small example:
wget http://sms.██s.com/login --post-data='username=p1234&password=123456' -r
This is a shell command for an attempt to recursively download all the contents owned by a student’s account. It can be easily planted into a program to try all possible combinations until success. Once the password is correct, all the private information will leak. Also, if the account is for a teacher, students will be able to change their scores themselves.

==Plus, most of the teachers are using default passwords today…which are██..==

In conclusion, the school platform need to be refined so that it is made safer!

2017/4/25