How should I tell school that they are vulnerable when I wasn't given permission to check?

If there is a teacher or counselor you can trust completely, that you know will keep your name secret even if the school administration starts making threats about firing people, I'd go to them first and talk to them in private. They don't need to understand computers or security (and you don't need to go into detail about the issue), they just need to be trustworthy and good at navigating the administration politics in the school: you need advice about the personalities of the people involved and how dangerous it would be for you to report the issue. If they're at all wary of reporting, then you should keep quiet.

If someone with enough power gets embarrassed, they might start looking for someone to fire or expel (or, in the worst case, to have arrested), to give the illusion that they are in control of the situation. If you're friendly with and trusted by the administration and IT department, and you know they've supported students in the past even when it made them look bad, it may be less risky to share the issue, but I'd still recommend going through a trusted intermediary.

If you can't talk to someone you trust to keep your name anonymous and you can't report the issue anonymously (and it sounds like you can't), it is probably best for you to keep quiet. And that means completely quiet: don't talk about what you found on forums, don't tell your friends what you found, and don't try it out again in a few weeks "to see if it's been fixed:" you don't want to show up in any logs as having anything to do with this, especially if it gets exploited by someone else. It sucks, but start by protecting yourself.


Another thought struck me as I re-read your question (emphasis mine):

How should I tell school that they are vulnerable when I wasn't given permission to check?

Could you get permission? Once you have permission, you could "discover" the issue (without telling anyone you'd found it before) and report it without worrying about being blamed for hacking without permission.

It would be easiest if you're already taking a computer class taught by a friendly teacher who would work with IT to give you an extra credit assignment to do a Pen Test. Or if you're friendly with anyone in IT you could approach them directly and suggest you're interested in studying network security and hope to get a job in it someday, and could you get some experience by conducting a Pen Test of the local network. If you already have a reputation for being good at computers and security, and being trustworthy, you may have a decent chance at getting this approach to work.

This will require a lot more work than simply reporting the issue, if you're going to do it right. You'll need to test a lot more things so you can effectively launder your knowledge of the existing security hole (of course you might get lucky and find some more issues!), and you'll need to write up a report detailing everything you did, and why, and what you found. They also might restrict the scope of what you're allowed to test or give you a test system that doesn't expose the issue you already found, which means you'll be stuck doing the work and writing the report without being able to disclose the original issue.

Of course this is a fairly "sneaky" way of reporting the issue. If you get turned down you should probably keep quiet about the original issue, because if you report it or someone else does and it gets traced back to you, people will remember when you asked to conduct a Pen Test and start asking questions about you and how trustworthy you might be. So there is some risk to this approach.


How should you tell them? You shouldn't.

Let's look at the potential consequences here. Since you were poking around on their network without permission (something which is almost certainly in violation of your student agreement and whatever consent you clicked through in order to gain access to their IT system) the very best outcome you can expect is that they'll fix the issue and you'll get a small pat on the back.

On the other hand, there's at least a reasonable change that they'll get the wrong end of the stick, expel you from the school and may even call the police. Since there have been other instances of hacking, they may jump to the assumption that you were somehow involved with those as well, increasing the chances of legal consequences.

At the very least, and in spite of your good intentions you've almost certainly broken the law. While the school may choose to overlook this, they also might not.

When you weigh the upside against the downside, the choice should be obvious.