Seventh-grader Discovers Vulnerability in School Grading Software
January 24, 2023
As seventh-grader Jay Jackson practiced the skills he learned in his online cybersecurity class on FOCUS School Software, such as finding vulnerabilities in programs, he quickly realized he accidentally hacked into its system.
“I was looking to see if I could find anything internal, like what they were doing on the back end,” he said. “I just wanted to see if I could find something in a [company] so big.”
It only took Jackson four days to fully gain access to its system.
“[I was in] disbelief,” he said. “[I wondered] how they could overlook something so common.”
Jackson and his mother took this information to Principal Rick Fleming, fearing legal ramifications for cyber hacking.
“There is not much I could’ve done for my personal benefit,” Jackson said. “I don’t want my information or any of the other students’ information to be released.”
Fleming said he was not surprised that he was approached by Jackson and his mother.
“Our students have very good moral compasses because they come from very good households and parents have raised them right,” Fleming said. “So you have the giftedness, but you also have the moral and ethical compass to do the right thing.”
After bringing his information to Fleming, Jackson had the opportunity to join a Zoom call with the head of FOCUS and IT team.
“It didn’t really go through my mind at that moment,” Jackson said. “It was just really interesting being able to talk to someone with such a big company”
Fleming said he found the encounter amusing.
“It was hilarious,” he said. “They were dumbfounded, I mean, jaws dropping on the ground and, you know, here’s this little seventh-grader sitting there. It was very comical for me.”
Fleming said this is not the first time a student has successfully hacked into a school system.
“Since I’ve been here there have been some very unique circumstances involving very gifted kids,” Fleming said. “We had a student here one time hack into our email system, we found out later, with one of our computers at the media center. He is now working for the National Security Administration and he’s an IT guy. He’s brilliant.”
School Technology Associate Anthony Albert said the hack was not a difficult task, but it was definitely not accessible to the average person.
“My understanding is that our student was able to exploit what we’d call in IT, a somewhat lax administrative paradigm, on the part of the FOCUS teams,” Albert said. “While I don’t believe just anyone could have pulled it off, but I think there were definitely some opportunities for improvement regarding IT security on the FOCUS side.”
Jackson is now working with the FOCUS security team to identify other possible vulnerabilities in the program. Though he said he does not have a clear direction of where that relationship is going, he currently is creating his own online platform.
“I’m working on an operating system called Tyto,” he said. “It’s not really about making something revolutionary, but it’s more of something to help me learn the extremely low-levels of programming.”
Albert expressed gratitude for the exposure of the program’s vulnerability for the safety and security of students.
“This incident has happily led to a shoring-up in that department that can only help our students going forward,” Albert said. “I think it also shows that a person’s age is likely one of the least effective means of determining their skills or drive. I personally hope that the student in question continues to pursue this kind of work in IT security. I see a bright future there, for sure.”
Jackson said he sees cybersecurity in his future.
“Cybersecurity is something I’ve been thinking about pursuing,” Jay said. “But I think for right now I want to focus on coding.”