Teacher Account Vulnerability

[TimDaniel]

There have been attempts recently to access teacher accounts by exploiting a long-term vulnerability in the Simplegradebook login system.  The vulnerability was introduced through a bug in a security update performed in January of 2021. 

What happened is that the password recovery system was compromised - when the password recovery system was used, the email sent to the user was displayed in a large blob of text.  The text contained the new password assigned to the user. 

This introduced the possibility that if someone knew, or could guess, a teacher's userid, they could issue a password recovery for that userid and get the new password.  If the teacher then continued using the new password sent to them in the email, and didn't subsequently change it, the account would be compromised.

How Would I Know If My Account Was Compromised?

If the following sequence of events occurred, it is likely that your account was compromised.

• You received an unsolicited password change email from Simplegradebook between January 15, 2021 and January 26, 2022.
• You continued using the password in that unsolicited email, didn't change it to something else at the time it was received, and don't regularly change your password.
  

How Widespread is the Problem?

It isn't possible to determine that from the data in Simplegradebook because it isn't possible to distinguish a legitimate password recovery request from a non-legitimate one, and due to volume, outgoing emails are only kept on the system for a week.  If you think your account was compromised, please send an email to info@simplegradebook.ca so we can determine the extent to which the vulnerability was exploited.  So far (February 3, 2022) three attempts to compromise accounts have been reported.  To date no reports have been received about marks being changed.  This note will be updated if additional information is received.

What Actions Have Been Taken?

First, the problem was fixed as soon as it was reported.  Second, a notice was placed on the system asking teachers to change their passwords if they had received an unsolicited password recovery email.  Third, the login software is being re-written to cause the temporary passwords sent in the recovery emails to expire so they can only be used for a short period of time.  That update will happen in the new few days.

What Can I Do Now?

If you haven't changed your password recently, go to the Profile link under the My Simplegradebook tab and change it now.  Change your passwords frequently - once a month at least.  There are other ways that students can obtain passwords, such as watching you type it in.  If you think that your account has been compromised and marks have been changed, check them against your written records.  If you notice that they have been changed, please send an email to info@simplegradebook.ca so the extent of the problem can be determined. 

If anything unusual happens on Simplegradebook, please feel free to report it in an email to info@simplegradebook.ca.

What Else?

As the developer for Simplegradebook, the responsibility for this issue lies with me.  Users have come to trust Simplegradebook to be available, responsive, and secure.  I can't apologize enough for allowing this to happen.  Teachers have enough to worry about without anything added to their plates. As a retired teacher, the thought of adding to another teacher's burden gives me determination to make whatever changes necessary to ensure this never happens again.

Tim Daniel