How to Risk the Identities of Dozens of Thousands of K-12 Students

Highly sensitive information about dozens of thousands of students was available at a public web address on Princeton Review servers for seven weeks, according to the New York Times.

As reporter Brad Stone notes,

One file on the site contained information on about 34,000 
students in the public schools in Sarasota, Fla., where the
 Princeton Review was hired to build an online tool to help 
the county measure students’ academic progress. The file 
included the students’ birthdays and ethnicities, whether 
they had learning disabilities, whether English was their 
second language, and their level of performance on the 
Florida Comprehensive Assessment Test, which is given 
to students in grades 3 to 11.

So you might think this is a real snafu. You might even think that this company might be sued in the future, considering that its clients have an amazingly high stick-up-ass ratio.

But let me tell you, those engineers down at TPR campus - yes, it’s a campus - are some of the most gifted .NET engineers that can be found this side of Fog Creek Software.

For instance, the masterminds at the Princeton Review pass all their important request info as GET params, because this tactic is actually a way to psyche out potential hackers: the foolish hackers think that you are a dead animal and urinate on you before leaving, instead of p3wning your server. Success!

If we look around, we quickly come across stuff like this:

http://princetonreview.com/AjaxService.asmx

A public tutorial about how to use private Ajax functions for fun and fraudulence! You’d almost think that this site was operated by autistic toddlers, but don’t you see??? That’s what they WANT us to think.

And by pulling a well publicized stunt like trying to ruin the lives of thousands the brightest students in our fair country? And owing it all up to a “vulnerability” that could be remedied in a few seconds by securing your IIS server through a graphical user interface?

Sheer brilliance.

I’m crying, im in awe so hard right now.

This was posted 3 years ago. Notes.