Personal Information Belonging to 400,000 German Students Exposed
Scoolio Users Had Sensitive Information Exposed Due to an API Flaw in the Platform.
Scoolio is a comprehensive School Management Platform that connects Parents, Educators, and Administrators to the data needed to spur student success.
It seems that 400,000 users of Scoolio, had their sensitive information exposed due to what seems to be an API flaw in the platform.
Scoolio earns money by collecting and monetizing data created by various tools and functionalities. Scoolio, on the other hand, claims that it does not collect or distribute any information from students without their permission.
Scoolio has teamed with German schools to use their technology as a remote teaching aid tool for file transfers and digital homework collecting.
Many students utilize the app as a common tool in their courses as a result of collaborations and government support.
The vulnerability was discovered by Lilith Wittmann of the IT security collective “Zerforchung,” who promptly informed the Scoolio team of her findings.
Wittmann outlines how she exploited Scoolio API weaknesses to get incredibly sensitive data for each user ID used on the app in Zerforchung’s report.
As reported by BleepingComputer, the exposed personal data includes:
- User nickname
- User and parent email addresses
- GPS location at which the app was last opened
- Name of school and class
- UUID details
- Personality traits (origin, religion, sexuality)
We also found another problem, albeit a small one compared to the gigantic data outflow: We were not only able to call up the data of all users, but also to update some of them.
For example, we could have changed the location of a user to our hearts’ content by sending any profile ID to the endpoint /api/v3/Profile/location. All you need is the profile ID – and a request like this would have changed the location:
We cannot say exactly how many students are affected. Because scoolio artificially inflates its user numbers by creating accounts without asking: As soon as you download the app and open it once, an empty profile with a UUID is generated – regardless of whether you actually want to create a user account.
Scoolio itself states a number of users of 1.8 million. We assume that there are only a few 100,000.
A Fix Was Released
Scoolio was notified about the vulnerability on September 21, 2021, however, the software developer did not issue a fix until October 25, 2021.
However, Wittmann argues that the remedy should have been issued sooner owing to the repair’s simplicity and the critical nature of the disclosed data.
I would like to thank Ms. Wittmann for the information and the SDS for the exchange and thank you for your feedback on our security measures.
Fortunately, after extensive testing, we can confirm that No user data was intercepted by third parties prior to the investigation by Ms. Wittmann and we have successfully closed the gaps found.