Security issues with Blackboard

A report published recently by the Dutch company Online24 highlights security issues in Blackboard. The risks identified by the report can be categorized as general risks applicable to practically all internet applications. This does not however mean that these are acceptable risks. We would like to emphasize the danger that some students (particularly those with programming skills) may be capable of altering their marks in the Grade Centre, with the changes being attributed to the lecturer. For this reason we are temporarily issuing the advice not to use the Grade Centre for registering marks that contribute towards the final mark for a course (that is registered in OSIRIS). In the setup and management of Blackboard at the UT we have taken measures in accordance with the UT’s Security Policy, to minimize risks. All connections are SSL. Regarding availability and robustivity, all hardware is double redundant and backups are made on a daily basis. Furthermore we intend to implement Blackboards newest Service Pack for our Blackboard version (version 8.0) in the very near future.

We are of course dependant on Blackboards company for the solution of security issues. The company has recently issued the following statement regarding the report:

" (…)Upon learning about the report the Blackboard Security Team immediately began researching the issues, and contacted the authors of the report. We’ve gathered information and are attempting to reproduce the results in our lab. If we are able to confirm any of the asserted vulnerabilities, we’ll take swift action to correct them and, if any vulnerabilities relate to your version of Blackboard Learn, we’ll provide you with the necessary updates to your software.(…)"

We shall install the updates as soon as they become available.