School chat app Seesaw abused to send 'inappropriate image' to parents, teachers Parents and teachers received a link to an "inappropriate image" this week via Seesaw after miscreants hijacked accounts in a credential stuffing attack against the popular school messaging app. Seesaw – which claims more than 10 million teachers, students, and parents use its tech every month – shared a letter from its CEO …
It has been amusing to watch news agencies and press releases tiptoe around this, but my amusement over the sheer number of ways people can avoid writing "NSFW image of a naked man spreading his cheeks" is greatly reduced by the prospect of this going viral and generating a 2nd wave.
With the original domain running far longer than reason would suggest, it seems that once it went offline the image became and endangered species. Now a whole new generation of middle schools have copies. Avoiding it was easy enough for a long time, just check where your links were going, and you were save behind most content filters. (blocking it was practically the EICAR of content filtering.) Now those of us at schools have to worry about Airdrop attacks, harassment an cyberbullying if it catches on again.
Maybe if you're so horrified by the tasteless display of an organ 100% of humans own, you should reconsider your priorities.
It's good to have some taste, but the lack of it is probably not the worst threat our species - even the young members still in full-time education - is facing.
"Maybe if you're so horrified by the tasteless display of an organ 100% of humans own, you should reconsider your priorities."
The OP did state "those of us at schools...", which seems to mean that an employer expects him or her to filter this out.
I was in the same boat. In a previous job at an educational institution, I was put in charge of several public access computers connected to the internet for the kiddies "to do their homework". It was made very clear to me that I had to block never-defined bad stuff, full stop, and making that happen was my problem. So I've been there done that and give the OP an upvote and a lot of sympathy.
Glad to see Goatse is still getting some use, reminds me of the time Jason Scott Goatse'd Myspace.
Seesaw – which claims more than 10 million teachers, students, and parents use its tech every month...
Less than 0.5 percent of users were affected
So, fewer than 50,000 users were affected. Is that the number who received the link, or the number who blindly followed the bit.ly link or the number of accounts taken over to send the link?
What's really rubbish is that people who have access to an account through which they can send messages to kids and access their personal information were so bloody lazy they couldn't be bothered to set a password they hadn't used before.
The BBC covered this story and included the following:
The head of one school in Milwaukee warned parents not to blame those who appeared to have sent the message."While specific parent names were attached to these messages," the school's statement said, "we know that these parents were not involved."
They bloody well were involved. Lazy bastards.
Some people might think of removing the password altogether as the quickest and easiest solution. This approach might well appear to be the very best for the people who are of the view that “‘not good enough’ is ‘bad’ and ‘whatever is bad should be removed’” and “‘login with a token alone’ is securer than ‘a login with a password + a token’”.
'Not good enough' is bad when you're dealing with other people's personal information. Even worse when those other people are too young to give consent.
Linking a login token to some other data slurping organisation ('login using Facebook' springs to mind) would just makes the compromise worse.
Some teachers will set an easy password for all the students in their class.
Seesaw can’t enforce MFA really as that would require each student to have an Authenticator of some sort.
Can’t IP restrict as seesaw needs to be accessed at home.
Maybe teacher or parent approval is needed for login when not behind a school IP.
Good start - but here's a radical thought: Maybe Seesaw has inappropriate functionality built into it?
Why should parents have the ability to send anything to groups of parents or students? Maybe such a feature should be earned rather than given by default? Maybe that would be a feature that requires MFA? Why are obfuscated links to off-site content permitted at all? Or for that matter any link to off-site content without moderation? If we want an interactive noticeboard for the school then maybe the school needs to review and moderate the content?
Any response along the lines of 'that's all too difficult' takes us back to the question about unique passwords for each site/service. If it's too difficult to use it properly then don't use it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
