CourseInfo Exposes Admin Psw

BlackBoard CourseInfo Exposes Admin Psw
Reported July 10, 2000 by
James Megna

Blackboard CourseInfo 4.0


During the installation process, Blackboard CourseInfo 4.0 requires that the user create an administrative account used to access and configure the CourseInfo software. The user name and password are stored in a registry key that is left unprotected from access by unauthorized users. Furthermore, the password is stored in clear text making abuse all the more likely. The username and password are stored in the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Blackboard, Inc.\CourseInfo40


Blackboard Inc. is aware of the problem and has recommended that users protect against remote registry access by asserting proper permissions on the operating systems "winreg" registry key.

Take note that this measure does not protect the registry key from access by a locally logged on user, so the risk remains if the system is shared by other users.

At the time of this writing, no response was available from Blackboard Inc. with regard to whether a patch or future product version would remedy the clear text password storage and loose registry key permissions.

Discovered and reported by James Megna

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.