The HPI cloud system had a data leak. Videos from students and teachers were openly available.
Anything that distracts doesn't belong in the workplace
During the pandemic, many schools had to switch to learning platforms to enable teaching from a distance. One such service is the cloud system of the German Hasso Plattner Institute (HPI). As heise has now revealed, confidential content could be accessed from outside due to a data leak.
The platform has been offered as an open source solution since 2016 and is mainly used by schools that have not yet operated their own system. With the data that is available for development at GitHub, attackers could have easily gained access to the systems.
Barrier-free access
All that was needed was the forgotten demo account “[email protected]”. This allowed you to log into the Thuringian instance of the platform. The software code also contained an object with the ending “/ teachersOfSchool”. A list of hundreds with the names and IDs of hundreds of teachers and the associated schools could be called up.
With the ending “// metrics” you could call up data about the server in the browser without having to be logged in. There was also a list of accessed URLs. These resulted in files uploaded by students and teachers.
Videos and sheet music
These could easily be downloaded via the links. You received tests including handwritten assessments and the grades of individual students as well as videos in which poems were recited or children danced. The data leak has now been resolved.
