SECOND GRADER HACKS SYSTEM, SHOWS KIDS HOW TO ACCESS ANY STUDENT ACCOUNT
BY: ANDREW COLTON | Editor & Publisher
BOCA RATON, FL (BocaNewsNow.com) — The Palm Beach County School District is in the midst of a massive computer security crisis that draws into question the authenticity of every assignment completed by every student since “distance learning” began, after BocaNewsNow.com learned that an elementary school student hacked the school district’s password system.
We are not revealing the password convention that is used in the school district, but the second grader’s — you are reading that correctly, the second grader’s — hacking resulted in an emergency login change for “live” morning meetings in several elementary schools last week. It did not result — yet — in a district-wide reassignment of student passwords for the School District’s “Portal” which provides access to Google Classroom.
It is unclear if teachers and administrators were aware that the second grader’s hack potentially impacted the entire 176,000 student school district.
Every Palm Beach County School District student is now utilizing “Google Classroom” during “distance learning.” The system is used for email, classroom work assignments, live communication with teachers, and tests. The hack potentially lets any student log into any other student’s Google Classroom account.
Monday, a 10-year-old proved to BocaNewsNow.com that he was able to log into an unrelated 6-year-old’s account with the permission of that student’s parent. The 10-year-old was given nothing but the name of the student in another grade. That 10-year-old — using the hack widely shared among students — needed less than two minutes to find the 6-year-old’s account and enough identifying information to log in as the 6-year-old.
All of the identifying information was located on the Palm Beach County School District’s computer network.
Once logged in, the 10-year-old had complete access to the 6-year-old’s school work, teacher emails, “chats,” and classroom “live video stream.”
BocaNewsNow.com alerted the Palm Beach County School District’s media relations department of the hack at 6:45 p.m. Monday and promised that this story would not publish until 7 a.m. Tuesday, giving the District ample time to force mandatory password changes District-wide. A Spokesperson said that the information was being forwarded — immediately — to the District’s I.T. Department.
At 8:30 p.m., a School District representative told BocaNewsNow.com that students are instructed to change their password regularly, but students and teachers told BocaNewsNow.com that this is NOT permitted — at least at the elementary level.
Later Monday evening, the School District confirmed that elementary school students are not permitted to change their passwords. A spokesperson said that may change this week as a result of the massive password compromise.
Google Classroom is — at its core — an education version of professional “GSuite“ which is used by major companies worldwide. The security protocols available under professional “GSuite” accounts, however, are not accessible at the student level for users of Google Classroom. A password switch has to be initiated — and approved — by the Palm Beach County School District — at least for students in elementary school. That leaves all elementary school accounts — as well as every account where students haven’t changed passwords on their own — accessible.
The flaw isn’t Google’s — it’s the School District’s. Students use their School District “Portal” login information to access Google Classroom.
Before March, Palm Beach County School District students primary used Google Classroom in the presence of a teacher — there was no reason to access the system remotely. Distance learning, however, made it the center of online schooling. The School District’s I.T. department apparently never imagined that its simple default password naming convention could impact the accuracy, authenticity and online safety of every student in the Palm Beach County School District.