A student admissions website used by families to enroll their children in schools has fixed a security flaw that exposed their personal information.
The website, Ravenna Hub, which allows parents to submit applications and track the status of their children’s applications at thousands of schools, allowed any logged-in user to access personally identifiable data associated with any other user, including their children.
The data exposed includes children’s names, dates of birth, addresses, photographs and details about their school. The parents’ email addresses and phone numbers, as well as information about the children’s siblings, were also exposed.
Florida-based VentureEd Solutions, which develops and maintains Ravenna Hub, says on its website that serves more than one million students and processes hundreds of thousands of applications a year.
TechCrunch first learned of the vulnerability on Wednesday and alerted the company shortly after. VentureEd fixed the bug the same day, but TechCrunch withheld this report until we could verify that the bug was fixed.
Nick Laird, CEO of VentureEd Solutions, told TechCrunch in an email that the company was able to replicate the issue and fixed the vulnerability.
Laird said the company was investigating the incident, but would not commit to notifying users about the security breach or to say, when asked by TechCrunch, whether the company has the ability to check whether there was any improper access to other users’ data. We also asked if a third party verified the security of Ravenna Hub and, if so, who. Laird would not say anything and declined to comment further.
It’s unclear who, if anyone, oversees cybersecurity at VentureEd and Ravenna Hub.
The vulnerability is known as insecure direct object reference, or IDOR, a common security flaw which allows users to access information stored due to weak or non-existent security controls on the servers in question.
In practice, the bug allowed any logged-in user to access another student’s data, including their personal information, by modifying the unique number associated with a student’s profile using their web browser’s address bar.
In the case of Ravenna Hub, student numbers are sequential, meaning that any user can access another student’s data by changing the profile number by one or more digits.
When TechCrunch created a new account with test data, we discovered that the web address contained a seven-digit number. As such, there were just over 1.63 million records prior to ours that were accessible to any other user.
This is the latest security breach involving simple security flaws affecting children’s personal information. In January, Online tutoring site UStrive exposed its users’ personal informationmany of whom are still in school.
