fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Sensitive Data of 400,000 German Students Exposed By API Flaw

Sensitive Data of 400,000 German Students Exposed By API Flaw

Approximately 400,000 users of Scoolio, a student community app widely used in Germany, had sensitive information exposed due to an API flaw in the platform.

Lilith Wittmann, a security researcher from the IT security collective “Zerforchung” discovered the bug and immediately disclosed their findings to the Scoolio team.

A “student” business

Scoolio is a German student community app that aims to build better time management skills, tutoring, homework planning, and group chats to network with peers. The app also allows companies to network with students to share job openings or internship opportunities.

Scoolio makes money by collecting data generated through these tools and features and then monetizing it with targeted advertising. However, Scoolio states that they do not collect or share any information from students without their consent.

Also Read: Ways to protect HR data and avoid penalties for data breaches

To build student membership, Scoolio has partnered with schools around Germany to use their platform as a remote teaching assistance tool for file exchanges or remote digital homework collection.

It’s very development was financially backed by three state-owned investment groups, namely SIB Innovations – und Beteiligungsgesellschaft mbH, Technologiegründerfonds Sachsen, and Kreissparkasse Bautzen. 

Due to the partnerships and government backings, many students use the app as a standard tool in their classes.

Data exposed by leaky API

In Zerforchung’s report, Wittmann explains how she exploited Scoolio API flaws to retrieve extremely sensitive data for any user ID used on the app.

The exposed personal data includes:

  • User nickname
  • User and parent email addresses
  • GPS location at which the app was last opened
  • Name of school and class
  • Interests
  • UUID details
  • Personality traits (origin, religion, sexuality)

Wittman shared a fictitious sample of the types of data exposed by the flaw below.

Sample profile details
Fictitious sample of types of exposed data
Source: Zerforschung

While Scoolio states that 1.8 million people use their app, the researcher believes that the actual number is closer to 400,000 based on how user ids are created.

“We cannot say exactly how many students are affected. Because scoolio artificially inflates its user numbers by creating accounts without asking: As soon as you download the app and open it once, an empty profile with a UUID is generated – regardless of whether you actually want to create a user account,” explains the Zerforchung report.

Also Read: Data Protection Act of Singapore: Validity in the Post-pandemic World

Fix released after thirty days

Zerforchung states that they disclosed the flaw to Scoolio on September 21, 2021, but it took the software developer until October 25, 2021 to deploy a patch.

However, due to the simplicity of the fix and the sensitive nature of the exposed data, Wittmann believes the fix should have been released more quickly.

“I would like to thank Ms. Wittmann for the information and the SDS for the exchange and thank you for your feedback on our security measures,” Danny Roller, CEO andFounder of the Scoolio app, shared in a statement.

“Fortunately, after extensive testing, we can confirm that No user data was intercepted by third parties prior to the investigation by Ms. Wittmann and we have successfully closed the gaps found.”

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us