Around 400,000 users of Scoolio, a widely used student community app in Germany, have seen sensitive information exposed due to an API flaw in the platform.
Lilith wittmann, a security researcher from the IT security collective “Zerforchung” discovered the bug and immediately disclosed his findings to the Scoolio team.
A “student” company
Scoolio is a German student community app that aims to develop better skills in time management, tutoring, homework planning and group discussions to network with peers. The application also allows companies to network with students to share job offers or internship opportunities.
Scoolio makes money by collecting data generated by these tools and features and then monetizing it with targeted ads. However, Scoolio states that they do not collect or share any information from students without their consent.
To strengthen student buy-in, Scoolio has partnered with schools across Germany to use their platform as a distance learning aid tool for file exchanges or digital homework collection at distance.
Its development was financially supported by three public investment groups, namely SIB Innovations – und Beteiligungsgesellschaft mbH, Technologiegründerfonds Sachsen and Kreissparkasse Bautzen.
Due to partnerships and government support, many students use the app as a standard tool in their courses.
Data exposed by a leaking API
In Zerforchung’s report, Wittmann explains how she exploited flaws in the Scoolio API to retrieve extremely sensitive data for any user ID used on the app.
The personal data exposed includes:
- User and parent email addresses
- GPS position where the application was last opened
- Name of school and class
- UUID Details
- Personality traits (origin, religion, sexuality)
Wittman shared a fictitious sample of the data types exposed by the vulnerability below.
While Scoolio says 1.8 million people use their app, the researcher believes the actual number is closer to 400,000 depending on how user credentials are created.
“We can’t say exactly how many students are affected. Because scoolio artificially inflates its number of users by creating accounts without asking: as soon as you download the app and open it once, an empty profile with a UUID is generated – you want to create a user account, ”says the Zerforchung report.
Correction published after thirty days
Zerforchung claims to have disclosed the flaw to Scoolio on September 21, 2021, but it took the software developer until October 25, 2021 to deploy a patch.
However, due to the simplicity of the fix and the sensitive nature of the data exposed, Wittmann believes the fix should have been released sooner.
“I would like to thank Ms Wittmann for the information and the SDS for the exchange and thank you for your comments on our security measures,” said Danny Roller, CEO and founder of the Scoolio app, in a statement.
“Fortunately, after extensive testing, we can confirm that no user data was intercepted by third parties prior to Ms. Wittmann’s investigation and we were successful in addressing the gaps found.”
- Zoom security issues: Everything that’s gone wrong (so far)
- Activision Blizzard lawsuit: a timeline of key events and everything you need to know
- Microsoft October 2021 Patch Tuesday fixes 4 zero-days, 71 flaws
- Microsoft September 2021 Patch Tuesday fixes 2 zero-days, 60 flaws
- Microsoft November 2021 Patch Tuesday fixes 6 zero-days, 55 flaws