Hacking WebCT
by Milton Bradley
Stolen from Wikipedia:
"WebCT (Course Tools), now owned by Blackboard, is an online proprietary virtual learning environment system that is sold to colleges and other institutions and used in many campuses for e-learning. To their WebCT courses, instructors can add such tools as discussion boards, mail systems and live chat, along with content including documents and web pages."
My local Community College utilizes WebCT for all of its online classes.
This article discusses some of the issues I have observed. As usual, I take no responsibility for what you do with this info and do not suggest anything illegal or against school policy. By the way, do these non-accountability statements really matter anyway?
Most WebCT systems by default use a simple login process based on general identifiers of the student. If your name is Billy Badass, and your birth date is 01/01/1975, and the last four of your Social Security Number (SSN) is 0000, this is your username and login:
Basically, the username is your first and last name and then the month and day of birth, and the password is the first four letters of your last name plus the last four of your SSN.
This is my first problem with this system.
If I know this generic info about a student, I have full access to their account. To make this easier, WebCT informs me of all the usernames of all students in each of my classes.
By going to the email section of a class, then creating a new email, then selecting the "to" button in order to add recipients, you can see a list of the complete username of each student (not just the student's name). This will be handy later.
It may be helpful to export this list into Excel and later add passwords.
Now we have the username of every student in all of our classes.
The password for each student is the first four letters of their last name and then the last four digits of their SSN. Well, we already know their last name, so we are good there.
Now we need the last four of each SSN. The easiest way would be with a compromised Accurint or AutoTrack XP data mining services account. Since we don't all have that, let's get creative.
Most private investigators, law offices, and human resources departments have accounts for these services. They are often used to locate people, and the work is often done by interns and low level employees.
Since these services are not limited to law enforcement, anyone can have one. Let's assume that a friend of mine is an intern at a local law office and she finds people with these services for subpoena delivery.
Let's also assume that I asked her to just look up a few of the names on my list. The result will be a small box of "hits" on the name. The "hit" will have simple data such as name, phone number, address, and you know it... the last four of the SSN for verification!
A few years ago, I simply called Accurint and asked for the sales division. These employees work on commission, and will do anything for a sale. I identified myself as an assistant to some high powered attorneys and advised I was looking for a solution to a problem tracking people down.
I listened to her spiel and request a three day trial to get a feel for the site. This was given to me with zero hesitation. All I really need is about twenty minutes once a semester.
It should be noted that these data mining services are locking down many features including the display of SSNs. This article is not about stealing SSNs. I am sure there are plenty of ways of doing that.
If this doesn't work for you, use some good old social engineering.
At my college, if you take the username, and add @-------- edu (the ---- is the domain for the school), this serves as an external email account, and the mail will dump into their WebCT account.
Create an account at Mail.com called webctadmin@mail.com, or something like that, and send a mass phishing message to all the students in the class. This message could be from the Enrollment Center verifying the student's participation in the course. This may request a response including a verification of name and last four of the SSN (to protect their identity of course).
The student will see this, see the email address, and the name you attached ("WebCT Admin"), and happily reply in order to get that Pell Grant $$$. Even if one third replies, you are in great shape.
So now, we have a full username and password for every student in our online class.
What now?
Since every instructor will vary in teaching methods, some classes will be more lucrative than others. I will let you in on my experiences.
My first class had an instructor who appeared very concerned with preventing cheating with this medium. His quizzes were open for only a short period of time, and you could not receive your grade or revisit the quiz, until all quizzes were submitted. This created a problem. Since these quizzes were timed, I would not have enough time to look up every answer in the book.
I decided to snoop around through various student accounts until I struck gold. I noticed that almost every student was active on the class message boards except for three. These three also did not respond to messages from the instructor about enrollment. I could only assume that these students had dropped out. One of the students appeared to have abandoned all of his classes for the semester. This course allowed you to work ahead only a few quizzes at a time, so only three of the quizzes were open for the taking. You only get one shot and can't see grades until the class is caught up.
I jumped in and opened each quiz one at a time under his account. As soon as I opened it, I did a select all, then copy, then pasted into an HTML editor. This browser window does not have toolbars, so used Ctrl-A, Ctrl-C, and Ctrl-V. I now had every quiz, but no answers.
No big deal, I just Googled most of them and was ready for the testing on my own account. The exams were a different story.
The exams were only available for a specific week, and I later discovered that the exams were made up of random questions from the previous tests. I had to wait until the exam was due. Before I took the exam, I would log into six to eight different student accounts and grab all of their graded quizzes (with the correct answers marked).
I dumped them all into one big HTML file (for easy searching), and used it during my exam. Almost every question on the exam was on one of the previous tests that I extracted from the user accounts.
It is common for instructors to receive a CD accompanying the instructor's copy of the book with complete WebCT class data ready to be dropped into the system. Instructors are lazy, and this is an easy turnkey solution for them. Guaranteed A+ for me.
Another online class I took was too easy.
The instructor allowed you to work at your own pace and opened all of the quizzes and exams to be taken at any time. Once taken, the system immediately graded the test and displayed the results. I quickly found a student that worked ahead and rode his coat tails all of the way through the semester. Another A+. I have observed that summer online classes seem to be more open on testing dates than the fall and spring semesters.
The login for the instructors is not based on the same rules.
The username will be different; however, the first name on the email list I discussed earlier is the username for the instructor. The password is whatever the instructor wishes, and probably not very secure. I would assume that going to their office during non office hours will present you with a schedule on the door with their current classes and locations.
Going to these locations during the evening will usually present you with an abandoned classroom and an instructor's computer ready for a keylogger. Most instructors will check their WebCT before, during, or after a class, at least for messages.
As you can imagine, having your instructor's login for an online class is priceless. You now have all the exams.
I have noticed that my school does not have any sort of protection from malicious software on any machines because they utilize Deep Freeze, which reloads the machine every night. The problem with this is that the instructor's terminals are not reloaded they can keep all changes.
One should not stop at collecting info from current classes!
Browsing through students' accounts will reveal many other online classes, probably classes you need to take. I would visit these accounts at the end of the semester, leech all the data (graded quizzes, exams, and papers), then sign up for that class the next semester.
Make sure to choose the same instructor. Chances are that when you take your first quiz, it will be a replica of the previous semester's first quiz. Many instructors put together their online class, and then do not touch it until the book changes. This allows the system to run things while the instructor kicks back and gets paid.
It should go without saying that WebCT logs IP addresses, so be warned. I am sure you know ways around that.
Will this work on every WebCT system? Absolutely not.
Does my school's system possess bad practices and an abnormal lack of security? Quite possibly. Is much of this common sense? Totally.
I have not tried any of this on a Blackboard system, but I bet much could be applied. If it doesn't work for you, change things up and use your imagination.
One lesson in this is that online learning should be better protected by letting the user choose the password. Using general identifiers as a standard login and password is ridiculous, and instructors should become more aggressive with making the online units vary each semester.