Massive data leak at learning portal – 400,000 students affected

Especially during the Corona crisis, the number of users of online platforms for self-study increased immensely. Closed schools and often only satisfactory online offers from the supervising teachers had a lot to do with this. Now it has become known that one of the most popular platforms, Scoolio, was affected by a massive data leak. The security hole in the student app, which has since been closed, made it possible to access user data on nearly 400,000 students.

Collective for Data Security Found Gap

As is so often the case in the field of Internet security, a collective of IT experts once again became aware of the security problems. The “Zerforschung” collective was able to find some massive problems during its extensive review of the student app Scoolio. For example, they found plenty of security vulnerabilities that made it easy for cybercriminals to view and retrieve data of registered students. Especially the fact that these are mainly underage students makes this case so frightening. Scoolio itself has since commented on the gaps and made it clear that they have fortunately already been closed in the meantime.

Problems of digital teaching

Scoolio is considered a popular platform, which was used as a practical tool not only by students, but also by teachers, especially during the lockdown. Here, for example, homework and lesson plans could be conveniently stored. In times of non-existent face-to-face teaching, this was worth its weight in gold. But of course, the creators did not only think of school purposes, but also of the entertainment factor for young users. Accordingly, Scoolio also functioned like a kind of Facebook light in the form of a small social network. In addition to small online games, the app also offers chat options here.

Especially the fact that Scoolio is also designed as a social network gives the data leak an even more bitter taste. After all, it was thus possible for unwanted guests to access students’ personal data and not just view their homework plans. Last but not least, the massive data leak from Scoolio makes it clear that general Internet security risks naturally also apply in the field of education. Zerforschung’s own IT security experts described data security as inadequate.

Data retrieval possible without any problems

The experts at Zerforscher took a very simple approach to their problem analysis – they simply created their own profile. Now it was possible for them to see how the server and app communicated with each other via “person-in-the-middle proxy”. Now they “just” had to move piece by piece from end to end of the APIs. In the process, the IT team concluded that just by using the ID of a profile, the corresponding account could also be viewed and retrieved. The colleagues from heise online spoke to Lilith Wittmann (security researcher at Zerforschung) about this.

If one believes the IT expert’s estimate, it would have been possible to access almost 400,000 user profiles of the student platform in this comparatively uncomplicated way. In view of the sometimes serious topics discussed in the chat rooms, this is not only dangerous in terms of personal data. Memberships in groups such as “LGBTQ” can also be easily viewed using the profile IDs. This would have made it easy for certain authorities to collect data on, for example, the sexual orientation of children.

Not only data theft as a risk

Let’s not kid ourselves. Extensive data theft is only interesting for cyber criminals with economic intentions if credit card data or similar can be stolen. In the area of minors, on the other hand, one must rather reckon with the risk of so-called cybergrooming. Here, adults use chat rooms to make contact with minors. According to Zerforschung, this would theoretically have been possible without any problems at Scoolio. The moderators of the platform would not have prevented a corresponding contact even if one had registered as a person over 40 years old and joined a group for dating between minors. Of course, Scoolio is anything but pleased about the security leaks that have come to light. However, since no affected members have been heard from so far, the GmbH seems to have gotten off lightly once again.

In order to mend its reputation, the company has announced that it will significantly upgrade its security mechanisms. Here, the focus is first and foremost on the protection of minors. In particular, the introduction of an extensive upload filter is intended to prevent the sending of media unsuitable for children, for example. A block on contact data such as cell phone numbers and e-mail addresses is also to be introduced in chats. In addition to these, other general improvements in the area of security are also to come. To get the increased security signed off, Scoolio promises a subsequent review by external IT experts. Scoolio has only positive words to say about Zerforschung. After all, the security collective has pointed out the shortcomings. We are curious to see which security gaps will be uncovered by Zerforschung as part of the “Back to school” review of other student portals.