University Post
University of Copenhagen
Independent of management

Education

Security breach may have let students cheat

For eight months, computer-savvy students have been able to adjust teacher's notes, and thereby also noted grades, in a system at the University of Copenhagen

A security breach in the University of Copenhagen’s e-learning system has allowed computer-sophisticated students access with teacher’s rights, hypothetically letting them change the notes that some teachers use for tallying a final grade.

The breach, which was open for a full eight months, has just been sealed up, according to Peter Aagerup Jensen of the university’s Education Service. He has just given an update to the University Post after an article broke on the news site Version2.dk.

With just a small piece of the so-called javascript in the right place in the university’s course administration system Absalon, computer-savvy students would have, technically speaking, been able to gain access to the notes.

Great fun

The hole in the system’s security was first found by an enterprising computer science student taking ‘Advanced Programming’ with PhD student Morten Ib Nielsen at the Department of Computer Science DIKU.

»It was great fun, that a student could change the banner on Absalon to an advert for DIKUs student portal. But we reported the vulnerability, so the hole could be closed,« Morten Ib Nielsen says to Version2.

Apparently the official grading is still carried out on paper, but many teachers still use the Absalon notes to tally and subsequently fill out the forms manually in another system, Føniks.

Now blocked

The breach was wide open for eight months.

Only the threat of a critical article got the supplier, the Norwegian company IT’s Learning, to pull its socks up, the Education Service department at the University of Copenhagen explains.

The breach was finally closed at 9 am Wednesday morning 2 June.

»We now have a patch, and it is no longer possible to the entering new scripts on Absalon,« says Peter Aagerup Jensen of the university’s Education Service.

Worst case scenario

He emphasises that exam systems and other administrative systems are not directly affected by the security breach, as Absalon is an isolated system.

»Absalon does not in itself do grades, but teachers can have noted what grade should be given in Absalon, and it is this note, that can have been changed,« explains Peter Aagerup Jensen of the Education Service.

This is the worst case scenario, and he emphasises that there is no evidence that anyone has done so.

»We have been nervous that any publicity would in itself deliver the recipe to anyone who wanted to cheat. But I reckon it is probably only computer science students who would be able to do this, and teachers at DIKU have taken their precautions,« he says.

Absalon to be scrutinised

He adds that his office will seek a subsequent general check-up of Absalon now that this breach has been plugged.

Will you send us the link with a script for our readers, so they can see for themselves whether the plug works?

»No!«

miy@adm.ku.dk

Seneste