Blackboard is vulnerable to cross-site request forgeries. What this means is that by visiting this page (or, for a matter of fact, any other page) while you had a Blackboard session open could have the not so good side-effect of un-enrolling you from courses you were enrolled to. Or remove blocks from your homepage. Enrolling you to hundreds of courses. Or anything else, really - I'm a student, so I'm not sure how the Blackboard administration interface works, but it might be very well possible to enter/edit grades or do other nasty stuff (deleting content?). And nobody will know exactly what happened: you're authenticated using your own username, session and IP address.
The worst part: it's not even complex or very sophisticated. Anybody could do it. It took me five minutes to figure this out.
Research was conducted using the Blackboard Academic Suite installation at the Delft University of Technology, version 8.0.260.7.
My short research showed that many, if not all, of Blackboard's forms are vulnerable to some form of cross-site request forgery. Many forms (wrongly) allow a GET instead of a POST to execute actions which change data. None of the forms seem to use proper methods to prevent this kind of attack, like the usage of unique form tokens.
I've written a working proof of concept using the TU Delft Blackboard installation. The requirement is that you're logged in to the TU Delft SSO. A login attempt to Blackboard will be made and then the Blackboard 8.0 presentations and Search Employees blocks will be removed from your MyTUDelft-homepage. Furthermore you'll be enrolled to the course BK1500 Bouwfysica 1 and un-enrolled from BK1800_c Vormstudie 1 (if you were enrolled).
Try out the proof of concept or try it without the Blackboard SSO login attempt.
By Mark Janssen. Contact: mark (at) (domain).