A student admissions website that families use to enroll their children in schools has fixed a security flaw that exposed personal information.
Ravenna Hub, a website where parents can apply and track the status of their children’s applications at thousands of schools, allowed logged-in users to access personally identifiable data associated with other users, including their children.
The leaked data includes children’s names, dates of birth, addresses, photos, and school details. Parents’ email addresses and phone numbers, as well as information about the child’s siblings, were also leaked.
Florida-based VenturEd Solutions, which developed and maintains Ravenna Hub, says on the Ravenna Hub website that the company serves more than 1 million students and processes hundreds of thousands of applications annually.
TechCrunch first learned of the vulnerability on Wednesday and alerted the company shortly after. VenturEd fixed the bug on the same day, but TechCrunch withheld this report until it could confirm that the bug had been fixed.
Nick Laird, CEO of VenturEd Solutions, told TechCrunch in an email that the company was able to reproduce the issue and has addressed the vulnerability.
Laird said the company is investigating the incident, but wouldn’t commit to notifying users about the security lapse, and wouldn’t say in response to TechCrunch’s questions whether the company had the ability to confirm whether there had been unauthorized access to other users’ data. We also asked whether security checks on the Ravenna Hub were performed by a third party, and if so, by whom. Mr. Laird did not specify or declined further comment.
It is unclear who, if anyone, is overseeing cybersecurity for VenturEd and Ravenna Hub.
This vulnerability, known as Insecure Direct Object Reference (IDOR), is a common security flaw that allows users to access stored information due to weak or non-existent security controls on the servers involved.
In effect, this bug allows a logged in user to access another student’s data, including personal information, by using the web browser’s address bar to change the unique number associated with the student’s profile.
For Ravenna Hub, student numbers are consecutive. This meant that any user could potentially access another student’s data by changing one or more digits in their profile number.
When TechCrunch created a new account using test data, we found that the web address contained seven digits. So, before our record, there were just over 1.63 million records available to other users.
This is the latest security breach involving a simple security flaw that affects children’s personal information. In January, the online mentoring site UStrive exposed the personal information of its users, many of whom were still in school.
