In this post I’ll be describing my recent observations of the data security of the Raz-Kids/LearningA-Z online reading instruction application. These problems were described in a NY Times article by Natasha Singer on February 8th.
Before jumping in, a few words about disclosure: I first reported lack of SSL to LearningA-Z in October 2013. I got an acknowledgement of my inquiry but no further correspondence from the company. On Feb 2 of this year I sent the detailed information spelled out below. I’ve had some contact with the company since then and waited to disclose until now as they worked on fixes. A month later, a number of serious problems remain open, and the company has left an insecure API open after releasing updated mobile apps that no longer need it to function properly.
As described in my previous post, Raz-kids collects information about students and their reading level and progress. Some of this is visible from student accounts and all of it is visible from teacher and parent accounts.
My observations in early February included the following problems:
- No SSL used for teacher, student or parent website access, or with the mobile apps
- Passwords stored in plain text, not hashed at the server
- Presenting teacher username to mobile app caused full class roster with plaintext passwords to be transmitted without encryption
- This interface could also be exercised from the browser
- Option to set up student accounts with no password required to enter the account
- Once in a student account, it was possible to register as a parent with no verification needed by the teacher before access was granted to student reading assessment information
Since then, SSL has been added to student accounts but not teacher or parent accounts, teacher approval is now required before parent accounts can access student assessments, and new Android and iOS apps have been released that no longer transmit plain text passwords for an entire class (though this API is still functional and in use by older versions of the apps).
In the remainder of this post I’ll describe details of the problems that remain open.
The student website and latest mobile apps now use SSL to encrypt credentials and data. (More on mobile below). However the teacher and parent accounts do not. Since the teacher account has access to many students’ assessment information and voice recordings, and the parent account has access to student assessment information, there is more risk of data exposure from these accounts than from the student accounts that are now encrypted. The SSL configuration is also flawed. It receives Qualys SSLLABS score of ‘F’ for vulnerability to POODLE TLS attack, a TLS variant of the original POODLE SSLv3 attack.
The following screen shots show teacher and parent logins served without encryption, and a proxy log showing the username/passwords being sent without encryption for a teacher account.
When a parent account login is started from an HTTPS page, the browser actually notifies the user that the credentials are being sent without encryption. The proxy log confirms this, and the rest of the parent session is served without SSL/HTTPS.
Here is a summary of the SSL report
Passwords stored in plain text
The following screen capture shows a trial teacher account displaying a roster page with student names (redacted) and passwords. This establishes that Raz-Kids is not following the best practice of hashing passwords at the server. Teacher and parent passwords are treated similarly. Notice also that the page has been served with HTTP, meaning no encryption as these are transmitted across the network.
Class roster with plaintext passwords transmitted without encryption
Previous versions of the Android and iOS apps transmit entire class rosters with plaintext passwords, unencrypted, when presented with a teacher username, and rely on this interface to function. Raz-Kids has chosen to leave this API functional even after releasing updated apps that don’t rely on this interface. This means that users are not forced to update, and if they still have the older versions they are still causing this information to be transferred. The interface could also still be exploited by an attacker. User agent filtering was added in mid-February, but it is straightforward to change a browser’s user agent string to match one of the mobile apps and exercise the interface from a browser.
A portion of this response structure, from a trial account, is shown below
I’ll close this post with a quote from the company that develops Raz-Kids, as reported in the NY Times:
“We are confident that we have taken the necessary steps to protect all student and teacher data at all times and comply with all federal and state laws,”