We Hacked Our Way to Free 4.0s and Took over a UWaterloo and UofT Grading Tool
A group of students discovered vulnerabilities in the MarkUs grading tool used at the University of Toronto and the University of Waterloo. They found that students could access other submissions and potentially exploit grades through cross-site scripting (XSS) attacks. The students responsibly disclosed these issues to the MarkUs team without using them for personal gain.
- ▪MarkUs is a web application for submitting and grading assignments in computer science courses.
- ▪The students identified a flaw that allowed them to view any student's submission by manipulating file IDs.
- ▪They also discovered that malicious files could be submitted, leading to potential XSS attacks on instructors.
Opening excerpt (first ~120 words) tap to expand
First, I’ll explain what MarkUs is and why we went after it. Then I’ll walk through how a student account could view other students’ submissions, how we could get 100s on assignments/tests, and finally how we escalated to RCE. I’ll also cover a few other vulnerabilities we found along the way. Important note: We responsibly disclosed these issues to the MarkUs team and did not use them for academic or personal gain or to affect anyone’s grades. introduction what is MarkUs? MarkUs is a web app used for submitting and grading assignments. It helps students submit work, join groups, and view feedback, while TAs and instructors can grade, comment, manage groups, and release marks. It is used for almost all computer science courses at the University of Toronto and the University of Waterloo.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at xtra.
Discussion
0 commentsMore from xtra
