How did I discover this?#

About three years ago, I noticed something alarming while ordering a yearbook through yearbookordercenter.com. Whenever you go to place an order for your Yearbook, it has a convenient autosuggest feature where you can populate your child’s information so you can type it by hand (because asking your child’s name, homeroom, and grade is too much to ask).

Digging a bit deeper#

I was curious so I looked at the network tab in DevTools. What I found was.On the page visible to the user, it shared the student’s name, grade, and homeroom, but in the network request, it returned the student ID, grade, homeroom, first, middle, and last name, parent email, address, and zipcode.

What’s even worse is that for old batches, the data still remains in their system. Checking their API as of 26 October 2024, my data from 2021 is still in there.

Note: It appears this eBiz is a utility that yearbook creators can add collaborators or upload records for this auto-suggest feature. They even have a detailed video on it as well.

What’s funny is that they changed they changed the URL from https://www.yearbookordercenter.com/ProxyFactory.cfc?returntype=JSON to https://prod.yboc.varsity.com/ProxyFactory.cfc?returntype=JSON and didn’t update anything besides that. They still kept old data and allowed it to be accessed if you had the internal API id.

I attempted to tell them multiple times, telling the yearbook administrator at my school, telling them over E-mail but I never got a response back.

Now, the best solution, would arguably be to make the parents fill in the data without this auto-suggestion feature.

Now, this was somewhat patched, but what’s insane is that it still exposes emails

What other problems does this expose?#

This also exposes the fact that schools are handing over this data about students without their consent and entrusting it in companies who… don’t have the best security practices.

Latest updates#

They fixed it. I called them and they fixed it very quickly.