Personal Information Belonging to 400,000 German Students Exposed
Scoolio Users Had Sensitive Information Exposed Due to an API Flaw in the Platform.
Last updated on October 28, 2021
Scoolio is a comprehensive School Management Platform that connects Parents, Educators, and Administrators to the data needed to spur student success.
It seems that 400,000 users of Scoolio, had their sensitive information exposed due to what seems to be an API flaw in the platform.
Scoolio earns money by collecting and monetizing data created by various tools and functionalities. Scoolio, on the other hand, claims that it does not collect or distribute any information from students without their permission.
Scoolio has teamed with German schools to use their technology as a remote teaching aid tool for file transfers and digital homework collecting.
Many students utilize the app as a common tool in their courses as a result of collaborations and government support.
The vulnerability was discovered by Lilith Wittmann of the IT security collective “Zerforchung,” who promptly informed the Scoolio team of her findings.
Wittmann outlines how she exploited Scoolio API weaknesses to get incredibly sensitive data for each user ID used on the app in Zerforchung’s report.
We also found another problem, albeit a small one compared to the gigantic data outflow: We were not only able to call up the data of all users, but also to update some of them.
For example, we could have changed the location of a user to our hearts’ content by sending any profile ID to the endpoint /api/v3/Profile/location. All you need is the profile ID – and a request like this would have changed the location:
We cannot say exactly how many students are affected. Because scoolio artificially inflates its user numbers by creating accounts without asking: As soon as you download the app and open it once, an empty profile with a UUID is generated – regardless of whether you actually want to create a user account.
Scoolio itself states a number of users of 1.8 million. We assume that there are only a few 100,000.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.