A security firm hired by an Australian university has found vulnerabilities in Blackboard Learn, the popular course-management software, the Australian computer-security publication SC Magazine reported on Friday.
The company, Securus Global, first told Blackboard of the problems in mid-July. SC Magazine cited unnamed sources who said the company’s employees had used a variety of exploits to gain access to student grades, records, and information. The magazine did not disclose the name of the university that hired Securus.
Blackboard officials acknowledged that they had been notified of four previously unknown security holes in their software that they planned to fix by the end of the year. But they said no student information had been compromised and that the “fear-mongering” SC Magazine article had exaggerated the severity of the problems.
Twelve of the 16 issues that Securus identified were either already known to Blackboard, impossible to replicate, or due to improperly configured security settings by the university, officials said. The four new issues were common problems that Web application vendors regularly contend with, said Jessica Finnefrock, Blackboard’s senior vice president for product development.
“We think these things are important holes to fix,” Ms. Finnefrock said on Friday. “It’s not that that we’re dismissing them by any stretch of the imagination. We feel comfortable that these are low- or medium-level vulnerabilities.”
The SC Magazine article, citing unnamed sources, said initial reports of the problems to Blackboard in July “fell on deaf ears” for more than a month. AusCERT, an information-security group housed at the University of Queensland, had threatened Blackboard that it would alert Australian security researchers, the article said.
Stephanie Tan, Blackboard Learn’s director of security, said AusCERT did warn Blackboard, but that it “didn’t seem like it was a warranted warning.” The company responded within 48 hours of learning of the problems and was in continuous contact with its client universities throughout July and August, officials said.
Blackboard sent an advisory notice to its clients this week describing the nature of the problems, but no clients have since contacted the company indicating concern, Ms. Finnefrock said.
