‘Learning platforms compromised’
Security flaws in the most popular online-learning platforms could enable users to steal personal information and money, Israeli cyber experts have discovered.
The findings published by researchers at Tel Aviv-based Check Point Software come as millions of students and employees worldwide turn to online-learning management systems (LMS) to conduct virtual classes.
The vulnerabilities were identified by researchers in three WordPress plugins -- LearnPress, LearnDash and LifterLMS – which are used to turn WordPress websites into effective learning environments by top global universities and many Fortune 500 companies.
Researchers said the plugins are installed on approximately 100,000 educational platforms, including by the University of Florida, University of Michigan and University of Washington. The three platforms also are used in approximately half of all remote-learning solutions on the Israeli market, enabling companies to create quizzes, lessons, learner rewards and certificates.
The flaws enabled students and unauthenticated users to steal personal information, including names, emails, usernames and passwords; funnel money from an LMS to their bank account; change grades for themselves or peers; forge certificates; retrieve test answers; and escalate their system privileges to that of a teacher.
Following their discovery and disclosure by Check Point in March, all the identified vulnerabilities have been patched by the plugin developers.
Omri Herscovici, a vulnerability research team leader at Check Point, warned that students and employees are probably unaware of just how dangerous it can be to log into online learning websites.
“We proved that hackers could easily take control of the entire eLearning platform,” he said. “Top educational institutions, as well as many online academies, rely on the systems that we researched in order to run their entire online courses and training programs.”
“The vulnerabilities found allow students, and sometimes even unauthenticated users, to gain sensitive information or take control of the LMS platforms,” Herscovici said. “We urge the relevant educational establishments everywhere to update to the latest versions of all the platforms.”
Last week, researchers at Check Point warned that hackers are exploiting the rollout of massive governmental financial-relief packages to fill their pockets at the expense of businesses and affected workers.
A major increase in the registration of malicious and suspicious domains related to relief packages has been recorded in recent weeks. The hackers aim to scam individuals into providing personal information, thereby stealing money or committing fraud.
Some 94% of coronavirus-related cyberattacks during the past two weeks were phishing attacks, which attempt to trick users and collect sensitive data while appearing to be legitimate websites.
Approximately 68,000 new coronavirus-related domains have been registered since the beginning of the outbreak in January, including nearly 17,000 since April 2. Of the new domains registered in recent weeks, 2% were found to be malicious and 21% were identified as suspicious.