A student admissions platform used by families to apply to schools has fixed a security flaw that allowed any logged-in user to access the personal information of other families and their children, after the issue was reported and verified.
What Data Was Exposed
The website, Ravenna Hub, lets parents apply to and track applications across thousands of schools. A flaw in the site allowed any authenticated user to view the personally identifiable data tied to any other user account, including information about children.
The exposed data included children’s names, dates of birth, home addresses, photos, and school details. It also included parents’ email addresses and phone numbers, along with information about children’s siblings.
VenturEd Solutions, a Florida-based company that develops and maintains Ravenna Hub, says on the site that the service supports more than one million students and processes hundreds of thousands of applications each year.
How The Issue Was Found And Fixed
TechCrunch learned of the vulnerability on Wednesday and notified the company. VenturEd fixed the issue the same day, and the report was held until the fix could be verified.
Nick Laird, the chief executive of VenturEd Solutions, said in an email to TechCrunch that the company was able to reproduce the issue and has addressed the vulnerability. He said the company is investigating the incident, but did not commit to notifying users about the exposure. He also did not say whether the company can determine if anyone accessed other users’ data, and declined to comment on whether Ravenna Hub has undergone third-party security testing.
It is not clear who oversees cybersecurity for VenturEd or Ravenna Hub.
The Nature Of The Vulnerability
The flaw is known as an insecure direct object reference, or IDOR. This type of issue occurs when applications rely on weak or missing access controls, which allows users to access stored information they should not be able to see.
In this case, the bug let any logged-in user view another student’s profile by changing the unique number in the web address shown in the browser. Because Ravenna Hub uses sequential student numbers, a user could access other records by increasing or decreasing that number.
When TechCrunch created a test account, the site displayed a seven-digit number in the profile URL. That indicated that more than 1.63 million earlier records were potentially accessible to any logged-in user through the same method.
A Pattern Of Simple Flaws Exposing Children’s Data
The incident adds to a series of recent cases where basic security mistakes have exposed information about children. In January, the online mentoring site UStrive disclosed that it had exposed personal information belonging to its users, many of whom are still in school.
Featured image credits: i-Tech Support
For more stories like it, click the +Follow button at the top of this page to follow us.