Student admissions site bug leaked children’s data
▼ Summary
– Ravenna Hub, a student admissions website, fixed a security flaw that exposed the personal data of its users, including children and parents.
– The exposed data included children’s names, birthdates, addresses, photos, and school details, as well as parent contact information.
– The vulnerability was an IDOR flaw, allowing any logged-in user to access others’ data by sequentially changing a profile number in the web address.
– The company, VentureEd Solutions, fixed the bug quickly after being alerted but declined to answer questions about user notification or security audits.
– This incident is part of a pattern of simple security flaws exposing children’s personal information online.
A significant security flaw on a widely used student admissions platform exposed the personal information of children and their families. The vulnerability, now resolved, allowed any parent logged into the Ravenna Hub system to access the private data associated with any other user’s account. This incident highlights ongoing concerns about data protection within educational technology services.
The exposed data included highly sensitive details such as children’s full names, dates of birth, home addresses, photographs, and specific school information. Additionally, the email addresses and phone numbers of parents, along with information about siblings, were also accessible. Ravenna Hub, developed by Florida-based VenturEd Solutions, reportedly serves over a million students and processes hundreds of thousands of applications annually, indicating the potential scale of the exposure.
The security weakness was identified as an insecure direct object reference (IDOR), a common flaw where servers lack proper controls to prevent users from accessing records they should not see. In practical terms, any logged-in user could view another student’s profile simply by altering a sequential number in their web browser’s address bar. Because these profile numbers were consecutive, it was possible to cycle through a vast number of records. An analysis suggested that more than 1.63 million records were potentially accessible before the issue was corrected.
Upon discovering the vulnerability, the company was promptly notified. VenturEd Solutions confirmed it replicated the problem and implemented a fix on the same day. However, the company’s chief executive, Nick Laird, provided limited information in response to further inquiries. He declined to state whether affected users would be notified of the security lapse or if the company could determine whether any unauthorized access to data had occurred. Laird also would not comment on whether Ravenna Hub undergoes independent third-party security audits or who oversees cybersecurity within the organization.
This event is part of a troubling pattern of security oversights involving platforms that handle children’s data. Earlier this year, a separate online mentoring site experienced a similar breach, exposing the information of many school-aged users. These repeated incidents underscore the critical need for robust security measures and transparent communication when protecting the sensitive information of young students and their families.
(Source: TechCrunch)