Today Raz-kids sent an email to its email@example.com mailer list for users of its service. The full text of the email is at the end of this post. In this post I’ll address statements that are counter to my observations, with screen shots showing why.
“SSL encryption,…has always been used on Raz-Kids’ teacher-facing accounts”
I have proxy session files and screen shots taken as recently as March 4th that show teacher credentials sent without SSL, and authenticated teacher account sessions served without SSL. The current SSL certificate on http://www.raz-kids.com was issued on February 11th of this year. I observed certificate errors flagged by the browser when attempting to force HTTPS/SSL on http://www.raz-kids.com during January of this year. The certificate information with validity date is shown below.
My March 4th blog post on raz-kids security problems includes a screen shot of a teacher login page, including the code for the login form, served without SSL, and the credentials sent without SSL. It was captured on March 4th and I’ve included it again here. The ‘world’ icon on the URL bar shows that the page including the code for the login form was served with http.
Here is a new screenshot taken today. Notice that today the lock icon indicates this page was served with https. I confirmed that the credentials are posted with https today as well and that is also a change from yesterday.
The following screenshot was captured on March 2 and shows a logged-in teacher session served with http.
A copy of the page cached by Google yesterday shows that as recently as yesterday the link embedded in the teacher login button was http, meaning at a minimum that http was the default. This is consistent with my observations.
Older cached copies of this same page on the Wayback Machine show the same thing.
“SSL encryption.. has now been added to the student-facing side of Raz‑Kids and its mobile applications. It is recommended that users of a previous mobile app download the latest update to utilize this enhancement.”
Correct but there is one important detail. The older version of the app still works, and users who have not updated still transmit full class rosters with plain text passwords without encryption every time a student logs in. The underlying interface can also still be exploited from a browser, using a teacher username to extract the names and passwords of an entire class. Raz-kids could disable this interface and force users to upgrade the apps but thus far has not done so. Details of this were included in my March 4th post and a screen shot of the response including student passwords in plain text is shown below. This screen shot was captured on March 2 but I have confirmed today that this interface is still active.
“This additional encryption provides a comparable level of security found on various eCommerce sites.”
e-Commerce sites must adhere to the Payment Card Industry Data Security Spec (PCIDSS), a rigorous set of security requirements, including around encryption and overall transport layer security. As I reported yesterday, the Qualys SSLLABs SSL checker gives http://www.raz-kids.com a score of ‘F’ because of an unpatched vulnerability to POODLE TLS. (You can check the current status here.). Though not directly related to encryption, there are numerous other security flaws with the raz-kids site that would cause a failed PCIDSS audit.
A screen shot of the Qualys SSLLABS report is shown below
“An inaccuracy was recently discovered in Learning A‑Z’s Student Data Security and Confidentiality Statement. Despite what was stated there, Learning A‑Z does not require teachers or parents to add a student’s first name, last name, or identification number. All that is required is a student login handle. This statement has been revised.”
My observation is that student accounts set up prior to February 11 do not have such a “login handle” and use the students full names as the “login handle”, or username. This seems to indicate that the change noted to the Student Data Security and Confidentiality Statement corresponds to a material change in the service.
On February 11th and before, I observed that the “Add Student” page had entry fields for First Name and Last Name with no option for “login handle/class chart name” or other identifier for the student other than first name and last name. The screenshot below was taken on February 11th.
Today the same page looks like this (red boxes are mine). “Class Chart Name” is the “login handle” referenced in the email.
Prior to February 11th, it appears that teachers had no option to add a “class chart name”, only a student’s first and last name. Today I opened an existing teacher trial account and added a new student, “Iwas Addedtoday” with “class chart name” of “iwasadded”. Here is how the class roster looks. Notice that the new student Iwas has (iwasadded) below the first and last name and that Betsy and Robbie, set up prior to Feb 11th do not. This situation is hard to explain if the “login handle/class chart name” had always been a required field.
The “login handle” for each of the two pre-Feb-11th students is in fact the first and last name as shown here. Only the new student has a “login handle” of “iwasadded”. Robbie and Betsy’s login handles are their full names.
I believe that any teacher using Raz-Kids can confirm this by logging in and going to the Class Roster page under Manage Students. If a class was set up prior to Feb 11th I expect that the students won’t have “class chart names”, and that there is no way to add one to an existing student. This seems to show that “class chart name” was not a field, required or otherwise, when the class was created.
“Learning A-Z believes all student data is important and needs to be protected. This includes student voice recordings, reading level information, and student login handles, which Raz‑Kids does collect for educational use.”
Company representatives have publicly stated in the NYTimes that raz-kids doesn’t collect “Sensitive” personal information and on twitter that Raz-Kids “holds no personal information”. This statement discussing student information collected by Raz-Kids seems to contradict those public statements.
The full text of the mail sent today from Raz-Kids to teachers is below.
Learning A-Z’s Raz-Kids reading product has received even more security enhancements to protect student data. Learning A‑Z’s mission to empower teachers to help students succeed will not be impacted and product functionality will not be compromised.
Privacy and data security are core values of Learning A‑Z. As such, after proactively seeking out and then successfully completing a third-party audit to verify Family Educational Rights and Privacy Act (FERPA) compliance in December 2014, it was found that Cambium Learning and its products “successfully addressed the various applicable FERPA requirements.” The audit did make some suggestions for additional enhancements and those enhancements are detailed below.
Additional enhancements to Raz-Kids and Learning A-Z’s other student-facing technology products include:
Learning A-Z believes all student data is important and needs to be protected. This includes student voice recordings, reading level information, and student login handles, which Raz‑Kids does collect for educational use. Raz‑Kids has never stored or required student email addresses, physical addresses, or Social Security Numbers. Any other student information, like first and last name, is not required, though teachers could choose to add this information to best support their educational objectives.
Learning A-Z will continue to address ever-changing issues brought up by parents and educators. As part of an ongoing security effort, Learning A‑Z and Cambium Learning’s other business units have already signed the Student Data Privacy Pledge recently promulgated by the Future of Privacy Forum and the Software and Information Industry Association.
As the issue of data security and student privacy continues to evolve, Learning A‑Z encourages curious or concerned educators or parents to contact John Jorgenson, SVP, Marketing at any time to learn more(520-232-5070 / firstname.lastname@example.org).
I noticed an error in the screen shot from 3/2/15 showing a logged-in teacher session using http. I have replaced it with a correct screen shot also taken on 3/2/15.