The vulnerability affected students and teachers on Moodle worldwide as attackers could alter grades for exams and homework, enroll or un-enroll students to class, download/delete other student’s homework, etc.
The Wizcase cyber research team, led by Ata Hakcii, discovered a security vulnerability in the open-source learning platform, Moodle. It is an educational platform where universities and other educational institutions distribute content to almost 242 million users; students and teachers.
Moodle allows teachers to easily communicate with students, organize and post links, documents, assignments, quizzes, and grades.
About the vulnerability
The vulnerability was discovered on 9th October 2020 however details of it were released last week. According to researchers, the platform was vulnerable for 6 years before being discovered and patched.
Any university or school that used Moodle during that time with TeX filter enabled was at risk. TeX filter is mainly needed when sharing mathematical formulas so scientific or economics departments of universities will probably have TeX filter enabled.
According to Wizcase’s report, the consequences and risks researchers discovered, the main threat engendered was “account takeover.” For instance, if an admin account is compromised, an attacker would be able to access the username and hashed passwords of all the server users and alter their passwords to something else.
Moreover, the admin can also read database configuration and the database contains the hashed passwords of all the users so they could either crack those or just change it to something else directly. The attacker could also grant himself admin rights and then lockout other admins.
Even without gaining access to the admin account, the attacker could also simply steal the cookies of other users viewing the vulnerable pages, which would allow them to log in as these users. The bottom line, the attackers can do anything another user can do on Moodle without the victim ever knowing it.
Viewing other students’ direct messages, profile descriptions, chat messages, or discussion posts could give them access to the account. The would let attackers steal homework or any other submitted assignments, steal any uploaded files, modify uploaded files, read direct messages, edit profile settings and send any kind of post on the forum or direct messages in your stead.
In case of an account takeover for faculty members, the attackers would be able to steal uploaded files that contain answer sheets or unreleased exams, send any kind of posts on forums or direct messages in one’s stead.
Additionally, attackers could also modify the course and the course content in one’s stead, alter grades for exams and homework, enroll or un-enroll students to class, download/delete other student’s homework so they can steal it, and re-upload it as their own.