Updated: 10:00 p.m.
Two Minneapolis Public Schools students used an email prank Friday to draw attention to what they say are more security flaws in the district’s computer systems.
The teens, who described themselves as members of Washburn High School’s class of 2025, sent a mass email from a district account to staff and students.
Couched as a Rickroll joke, in which a prankster tricks their target into listening to Rick Astley’s “Never Gonna Give You Up,” the email linked to a detailed report that the teens wrote detailing the problems that they found, including easily accessible student photos and usernames.
Ian Coldwater, a Minneapolis-based professional hacker who helps their clients find vulnerabilities in computer systems, said in a phone interview Friday that the students uncovered serious security flaws.
MPR News is Member supported public media. Show your support today, donate, and ensure access to local news and in-depth conversations for everyone.
“There are things that are accessible from within the network that shouldn’t be,” Coldwater said. “There should be extra layers of having to be authorized to see some of this stuff, even if you are connected to the school network.”
The teens wrote in their report that a March ransomware attack targeting the district inspired them to investigate other potential information technology problems.
Coldwater, who reviewed the report for MPR News, said that the students included suggested fixes and were careful not to publish private data.
“Their work is solid,” Coldwater said. “I hope that people see their talent, see their desire and commitment to act ethically and help them cultivate it, channel it in good directions, hire them to help fix this rather than punishing them.”
The teens wrote that they were not able to access their fellow students’ grades, but that potential security flaws with Chromebook laptops could enable “academic cheating and dishonesty” when the computers are used for standardized testing.
In an email to MPR News Friday afternoon, district spokesperson Crystina Lugo-Beach downplayed this latest incident.
“This was NOT a hack, but an internal email sent out by a group of students using MPS student mailing systems,” Lugo-Beach wrote. “The mailing list feature used to send this email is a standard Google feature, like a building paging system, and operates under the premise that it will only be used appropriately. Clearly the students used it for another purpose.”
But Coldwater said that the students were able to access far more than the mailing system.
“They found network passwords by sniffing the network, they found various issues relating to enrolled Chromebooks, they found directories, they described how they got into the email system, and they also talk about different kinds of security issues that they found.”
In a second email later Friday, Lugo-Beach said that “MPS is aware of the situation and has reviewed the report. MPS routinely evaluates opportunities to enhance security measures. As such, many of the identified items are already included in our security roadmap.”
Lugo-Beach added the “industrious students involved in this incident” were not “flagged as intruders because they are part of our system.”