Flaw in popular U.K. classroom software exposes vast trove of kids’ personal data

One of the most popular Internet filtering tools in the U.K. has been found to have a flaw exposing hundreds of thousands of children’s personal information.

British security researcher Zammis Clark has discovered a security vulnerability in the encryption protecting Impero Education Pro, which is used in 27% of British K-12 classrooms.

Teachers use the program to limit kids’ Internet access, manage classrooms, and, in an odd twist, prevent Islamic radicalization by flagging keywords like “jihad,” “jihobbyist,” and “message to America.”

As the Guardian noted, the newly revealed flaw “could allow almost anyone to gain full access to computers running the Impero software, run software such as spyware on the systems, or access files and records stored on them.”

Impero, which is based in Nottingham, U.K., and has an office in Portland, Oregon, has issued a patch for the flaw, but the company has been slow to deliver it, according to several of the affected schools.

Impero has a reputation for hard selling and slow communicating. A great deal of the company’s public response has involved indicting Clark for publishing the flaw. Less attention has been paid to the alarming breach itself. Impero has sent a takedown notice to Clark and said he “maliciously and illegally hacked our product.”

According to Clark, the software has a default password of “password” and lacks decent authentication. If a hacker can gain access to an Impero server, any machine connected to it is seriously vulnerable.

Photo via Todd Petrie/Flickr (CC BY 2.0)

Curt Hopkins

Curt Hopkins

Curt Hopkins has over two decades of experience as a journalist, editorial strategist, and social media manager. His work has been published by Ars Technica, Reuters, Los Angeles Times, and San Francisco Chronicle. He is the also founding director of the Committee to Protect Bloggers, the first organization devoted to global free speech rights for bloggers