HIGH RISK — Broward College Security Audit
← IndexFor senior leadership · 21 May 2026
Security Audit · broward.edu · 21 May 2026

Security Audit: Broward College

External-perimeter security audit of broward.edu and its public infrastructure. Public community college · ~63,000 students · Title IV recipient · FERPA + GLBA regulatory scope.

Audit date 21 May 2026
Scope broward.edu (perimeter)
Risk classification HIGH · Public Educational Institution
Subdomains enumerated 168 CT hosts
Overall security score
22/ 100
HIGH RISK — Immediate action required
Public-perimeter audit shows two critical issues with regulatory exposure plus 12 high-severity findings touching FERPA, GLBA, and FTC §5.
Findings distribution — 48 total
Critical
2
High
12
Medium
12
Low
8
Passed
14
Executive summary

Broward College handles FERPA-protected student records, Title IV federal aid data (GLBA scope), and dual-enrollment minors (COPPA scope). The marketing site has good fundamentals — DMARC p=reject, TLS 1.0/1.1 disabled, no exposed source, server version suppressed.

But two critical issues stand out: a chatbot loading from a pre-production vendor host on every production page, and a privacy policy that materially contradicts the site’s actual third-party data flows.

Together with 12 High items (CSP is clickjacking-only, no GLBA notice on financial aid, no public FERPA annual notice, public test/dev CMS mirrors, dangling password-reset CNAME), the regulatory exposure is significant for a public institution.

DNS & Infrastructure SSL / TLS Security Headers Frontend / JS API / Endpoints FERPA / GLBA / ADA Injection / Logic Subdomain Enumeration (168 CT hosts)
01

Infrastructure & tech stack

Public-facing infrastructure as observed from the external perimeter. Highlighted items are sources of the critical/high findings below.

Web server
Apache version suppressed
Origin IP
162.252.213.135
Total Uptime Technologies ADC
TLS certificate
GoDaddy DV wildcard *.broward.edu
RSA 2048 · SHA-256 · Expires 28 Jan 2027
TLS versions
TLS 1.2 only
1.0/1.1 rejected. 1.3 REJECTED.
DNS / nameservers
GoDaddy (pdns03/04.domaincontrol.com)
Email infrastructure
Microsoft 365 + Proofpoint
DMARC p=reject (one of the strongest defenses)
Student Info System (SIS)
Ellucian Banner (Ellucian Cloud)
Learning Mgmt System (LMS)
D2L Brightspace
bconline.broward.edu
Test/dev LMS (public)
testbconline.broward.edu
→ bconlinecdtest.brightspace.com
Student portal
mybc.broward.edu
F5 Distributed Cloud WAF
HR / Finance
Workday (workday.broward.edu)
SSO provider
OneLogin (broward.onelogin.com)
CAS at mybc/cas/login
VPN
Palo Alto GlobalProtect
vpn.broward.edu
File transfer
MOVEit Cloud (sftp.broward.edu)
Cl0p 2023 breach risk
Fundraising
Blackbaud BBNC (giving.broward.edu)
2020 breach history
Marketing CRM
Pardot account 946193 + Salesforce TargetX
Public test/dev CMS
webdev2, test, sites-test.broward.edu
All reachable, no auth
Chatbot vendor
BlackBeltHelp BrowardBot
Loaded from bbh-PREPROD-bot.blackbelthelp.com ⚠
Frontend baseline age
CSS cache-bust 1558385680
May 20, 2019 — 7 years stale
02

Critical findings 2 items

Two issues with regulatory exposure require action this week. Verbatim evidence captured from production pages 21 May 2026.

C–1
Production site loads chatbot from vendor’s pre-production host
FERPA §99.31(a)(1)

The homepage, admissions page, and custom 404 page all load JavaScript from a host literally named “bbh-preprod-bot” at a “/preprod/” path on BlackBeltHelp’s infrastructure, with no Subresource Integrity attribute:

<script src="https://bbh-preprod-bot.blackbelthelp.com/preprod/chat/chat-client.js?botId=BrowardBot"> # Loaded on: https://www.broward.edu/ → homepage https://www.broward.edu/admissions/ → admissions https://www.broward.edu/error/404.html → every soft‑404

Two possibilities, both bad:

  • (a) Broward’s production student-support chatbot has been running against BlackBeltHelp’s pre-production environment for years (chat content containing FERPA-protected information flows to a non-production system with weaker security, debug logging, looser auth, different vendor SLAs); or
  • (b) BlackBeltHelp uses the “-preprod-” naming for their actual production tenant for Broward and never renamed it.

Either way: single compromise of bbh-preprod-bot.blackbelthelp.com = arbitrary JavaScript execution on every Broward page = OneLogin session token theft.

Remediation — TODAY
  1. Open P1 ticket with BlackBeltHelp. Get written confirmation: production or pre-production environment? If pre-production, migrate to production tenant immediately. If it’s the vendor’s production naming, request rename/alias.
  2. Add integrity attribute: integrity="sha384-..." crossorigin="anonymous" to the script tag.
  3. Add CSP script-src allowlisting only the verified vendor host.
  4. Audit BlackBeltHelp DPA for FERPA “school official” coverage, chat-content handling, retention, breach-notification terms.
C–2
Internet Privacy Statement materially misrepresents data collection
FTC §5 + FERPA

The Internet Privacy Statement at /legal/internet-privacy-statement.html states:

# Verbatim from broward.edu privacy statement: "our policy is to collect no personal information about you when you visit our website unless you affirmatively choose to make such information available..." "only aggregate information is collected, and individual visitors' personal information is not identified"

Both statements are inaccurate. The homepage loads, on first byte, before any consent prompt:

  • Google Tag Manager (GTM-K74MJ55) — cookie-based behavioral tracking
  • Pardot (account 946193) — visitor cookies tied to Salesforce CRM records once any form is filled
  • ShareThis (property 64930ce69c28110012954f37) — third-party data broker
  • BlackBeltHelp BrowardBot — collects chat content (potentially FERPA-protected)
  • doublesmart.digital — named as “third-party monitoring software”

Selective disclosure: policy names only doublesmart.digital while omitting GTM, Pardot, ShareThis, Anthology Ally, BlackBeltHelp. Policy references “policy 6Hx2-8.02” without hyperlink, has no effective-date, no Privacy Officer named (only [email protected]), provides no directory-information / FERPA opt-out for prospective students or parents.

This is Section 5 FTC Act deceptive-practice exposure. Conflicts with FERPA’s school-official-exception annual-notice requirement.

Remediation — THIS WEEK
  1. Rewrite /legal/internet-privacy-statement.html: disclose every tracker category, name actual vendors, add effective date, name Privacy Officer (title + phone).
  2. Add public FERPA section with annual notice text, directory-information categories, opt-out instructions, Records Custodian contact.
  3. Add GLBA Annual Privacy Notice section for financial-aid customers.
  4. Deploy cookie consent banner. Gate Pardot, ShareThis, GTM behind consent.
  5. Reconsider whether ShareThis (data broker) belongs on a public college homepage.
03

High-severity findings 12 items

Regulatory and security exposure across CSP, FERPA / GLBA / ADA compliance, supply-chain risk, public test mirrors, and dangling DNS records.

H–1
CSP is clickjacking-only — no XSS mitigation
Current: frame-ancestors only. Missing: default-src, script-src, object-src, base-uri, form-action, connect-src.
RemediationDeploy full CSP in report-only mode. Monitor 2–3 weeks. Enforce.
H–2
No FERPA annual notification on public website
No /ferpa page with annual notice, directory-info categories, opt-out instructions, Records Custodian.
Regulatory: 34 CFR §99.7, §99.37
RemediationPublish /ferpa page with full annual notice.
H–3
No GLBA Annual Privacy Notice on /financial-aid
Broward is Title IV recipient = “financial institution” under FTC interpretation.
Regulatory: GLBA §6803 · FTC Safeguards Rule 16 CFR §314 (June 2023)
RemediationPublish at /financial-aid/privacy following FTC model. Link from FAFSA landing. Establish public reference for WISP + Qualified Individual.
H–4
Public test & dev mirrors of production CMS
webdev2, test, sites-test, testbconline all publicly reachable with no auth. Risk: pre-publication content, draft pages, internal links, staged data.
RemediationPer-environment: VPN-only, SSO-only, or remove DNS. Confirm test LMS has no production student PII.
H–5
Dangling CNAME on password-reset subdomain
reset.broward.edu → CNAME → abcd.broward.edu (NXDOMAIN). Risk: account-recovery hijack if abcd.broward.edu ever created on SaaS platform.
RemediationRemove CNAME entirely or point at a host you control.
H–6
Subdomain takeover candidate
makerspace.broward.edu → CampusPress tenant returning HTTP 410 Gone.
RemediationRemove DNS record or repurpose to a current site.
H–7
noindex meta tag on homepage (operational)
<meta content="noindex" name="robots"/> on homepage. This is hurting SEO indexing.
RemediationRemove immediately from homepage template.
H–8
TLS 1.3 not supported
Only TLS 1.2 accepted. TLS 1.0/1.1 correctly rejected. Modern best practice = TLS 1.3.
RemediationEnable TLS 1.3 on Total Uptime ADC. Test with openssl s_client -tls1_3.
H–9
Moment.js 2.24.0 (2019) — known CVEs
CVE-2022-31129 (ReDoS), CVE-2022-24785 (Path traversal). Deprecated library. CSS cache-bust = May 2019 — 7 years stale.
RemediationUpdate to 2.30.x or migrate. Add SRI. Rebuild frontend baseline.
H–10
DOJ ADA WCAG 2.1 AA deadline passed (Apr 2026)
/accessibility: no WCAG 2.1 AA conformance statement, no ADA Coordinator with title/phone, contains “coming soon” placeholders.
Regulatory: ADA Title II 28 CFR §35 (April 2024 final rule)
RemediationUpdate with explicit WCAG 2.1 AA statement, named ADA Coordinator, VPATs for procured tech, complaint procedure.
H–11
Wildcard CORS Access-Control-Allow-Origin: *
ACAO: * present. Allow-Credentials: true NOT set (technically safe today). Risk: future config drift; sets permissive precedent.
RemediationRemove global ACAO. Apply per-endpoint with specific origins.
H–12
Third-party vendor supply-chain risk
MOVEit Cloud (Cl0p exploited May–Jun 2023). Blackbaud BBNC (major breach May 2020). Both still active in Broward stack.
RemediationGet written confirmation of current patch state and MFA enforcement from both vendors.
04

Medium-severity findings 12 items

Header hygiene, regulatory disclosure gaps, third-party tracker categories, and DNS hardening opportunities.

M–1
Malformed Set-Cookie: HttpOnly;Secure (only flags, no name=value)
M–2
No DNSSEC despite .edu zone support
M–3
No CAA records — any CA can issue certs for the domain
M–4
HSTS missing includeSubDomains and preload
M–5
Missing Referrer-Policy, Permissions-Policy, Cross-Origin-* headers
M–6
No cookie consent banner despite Pardot, GTM, ShareThis
M–7
No COPPA notice on Kids & Teens Continuing-Education program
M–8
ShareThis third-party data broker on homepage
M–9
No /clery, /heerf URLs — required reports buried in /_docs/ PDFs
M–10
robots.txt enumerates internal CMS paths (recon roadmap for attackers)
M–11
Title IX page doesn’t explicitly affirm 2024 final rule
M–12
doublesmart.digital tracker — opaque “third-party monitoring”
05

Low-severity findings 8 items

Best-practice opportunities. None pose immediate risk, but each represents a small posture gap below higher-ed peers.

L–1
No /.well-known/security.txt
L–2
GoDaddy DV wildcard cert — below typical higher-ed posture (InCommon Sectigo OV)
L–3
PageID hash meta tag leaks CMS internal identifier
L–4
No IPv6, no PTR on origin IP
L–5
Internal hostnames leaked in Certificate Transparency logs
L–6
Stale frontend baseline (CSS cache-bust = May 2019)
L–7
IE detection script loaded in 2026 (IE 11 discontinued 2022)
L–8
No public records request webform (Florida Sunshine Law)
06

What’s working well 14 passed

Broward’s perimeter has real strengths worth preserving. These are the controls that did NOT fail the audit.

DMARC p=reject via Proofpoint (strong defense)
TLS 1.0 / 1.1 disabled
HSTS 2-year max-age
Apache server version suppressed
X-Content-Type-Options: nosniff
HTTP methods properly restricted (TRACE, PUT, DELETE, PROPFIND return 405)
Zone transfer refused (AXFR)
Only ports 80 / 443 open on origin
No .env / .git / Composer / Dockerfile exposure
Path traversal blocked
S3 bucket in CSP is locked (403 AccessDenied, not listable)
Wildcard CORS without credentials (ACAO: * without Allow-Credentials)
mybc & workday fronted by F5 Distributed Cloud WAF
Accessibility skip links + Anthology Ally present
07

Remediation roadmap

Sequenced by urgency. The four Emergency items in column one are the regulatory and reputational risks; everything else cascades from those.

🔴 Emergency · This week

4 items — ship in 7 days

  • C–1BlackBeltHelp preprod: P1 ticket, written confirmation, migrate/rename, pin SRI.
  • C–2Privacy statement: rewrite, disclose all trackers, add effective date + Privacy Officer.
  • H–7noindex meta tag: remove immediately from homepage template.
  • H–5Dangling CNAME: delete or repoint reset.broward.edu.
🟠 This week / next week

7 items — 14 days

  • H–2Publish /ferpa page with annual notice and Records Custodian.
  • H–3Publish GLBA Annual Privacy Notice at /financial-aid/privacy.
  • H–1Deploy full CSP in report-only mode.
  • H–4Gate or remove public test/dev CMS mirrors.
  • H–10Update /accessibility with WCAG 2.1 AA statement + ADA Coordinator.
  • H–9Update Moment.js, add SRI, rebuild frontend baseline.
  • H–12Confirm vendor risk (MOVEit, Blackbaud patch state + MFA).
🟡 This month

20+ items — 30 days

  • H–8Enable TLS 1.3 on Total Uptime ADC.
  • H–11Remove global ACAO *; apply per-endpoint.
  • M-1–12Header hygiene + DNSSEC + CAA: cookie consent, COPPA notice, Title IX 2024 affirmation, robots.txt cleanup, retire opaque trackers.
  • H–6Subdomain takeover cleanup (makerspace).
  • L–1Publish /.well-known/security.txt
  • L–2Consider InCommon Sectigo OV migration for posture lift.