Serious security flaws found in Israeli distance learning system

'All digital platforms can be used as a battleground for cyber attacks and as use of a platform increases, so too the platform becomes more of a 'quality' target for cyber criminals'

By TZVI JOFFRE
Anais, a student at the International Bilingual School (EIB), attends her online lessons in her bedroom in Paris as a lockdown is imposed to slow the rate of the coronavirus disease (COVID-19) spread in France, March 20, 2020. (photo credit: REUTERS/GONZALO FUENTES/FILE PHOTO)
Anais, a student at the International Bilingual School (EIB), attends her online lessons in her bedroom in Paris as a lockdown is imposed to slow the rate of the coronavirus disease (COVID-19) spread in France, March 20, 2020.
(photo credit: REUTERS/GONZALO FUENTES/FILE PHOTO)
Serious security flaws have been found in the Ofek system used by Israeli students for distance learning during the coronavirus outbreak, according to information security researchers at Tel Aviv-based Check Point Software.
Ofek is the largest digital system used by Israeli schools for distance learning in elementary, middle and high schools.
CheckPoint reported the security flaws to the National Cyber Directorate which worked on the issue with the Education Ministry and the Center for Educational Technology (CET), which acted quickly to fix the issues.
The security flaws allowed attackers to gain access to the personal information of students, including their addresses, phone numbers, emails and ID numbers, their grades and the ability to change their grades, the personal information of teachers and access to secure files. Attackers could also change the passwords of students and teachers.
The attack could be carried out by sending a malicious link from within the system to a user. When the link is clicked, the attacker can send malicious code from a distance to the users' accounts.
"All digital platforms can be used as a battleground for cyber attacks and as use of a platform increases, so too the platform becomes more of a 'quality' target for cyber criminals," said Oded Vanunu, Head of Products Vulnerability Research at CheckPoint, adding that the Ofek system has become more popular recently amid the coronavirus outbreak.
No attack was carried out using the security flaw, according to the CET.
Last week, CheckPoint announced that it had found vulnerabilities in three WordPress plugins -- LearnPress, LearnDash and LifterLMS -- which are used to turn WordPress websites into effective learning environments by top global universities and many Fortune 500 companies.
Researchers said the plugins are installed on approximately 100,000 educational platforms, including by the University of Florida, University of Michigan and University of Washington. The three platforms also are used in approximately half of all remote-learning solutions on the Israeli market, enabling companies to create quizzes, lessons, learner rewards and certificates.
The flaws enabled students and unauthenticated users to steal personal information, including names, emails, usernames and passwords; funnel money from an LMS to their bank account; change grades for themselves or peers; forge certificates; retrieve test answers; and escalate their system privileges to that of a teacher.
Following their discovery and disclosure by Check Point in March, all the identified vulnerabilities have been patched by the plugin developers.
Eytan Halon contributed to this report.


Related Tags
digital