A student admissions website used by families to enroll children in schools has patched a security bug that exposed their personal information.
The Ravenna Hub website, which allows parents to apply and track the status of their children’s applications to thousands of schools, allowed any logged-in user to access the personally identifiable data associated with any other user, including their children.
Exposed data includes children’s names, dates of birth, addresses, photos and school details. Also exposed were parents’ email addresses and phone numbers, as well as information about the children’s siblings.
Florida-based VentureEd Solutions, which develops and maintains the Ravenna Hub, he says on the Ravenna Hub website that it serves over one million students and processes hundreds of thousands of applications annually.
TechCrunch first learned of the vulnerability on Wednesday and notified the company soon after. VentureEd fixed the bug the same day, but TechCrunch has withheld this report until we can verify that the bug has been fixed.
Nick Laird, the CEO of VentureEd Solutions, told TechCrunch in an email that the company was able to replicate the issue and has addressed the vulnerability.
Laird said the company was investigating the incident, but would not commit to notifying users of the security flaw or say — when asked by TechCrunch — whether the company has the ability to check whether other users’ data was improperly accessed. We also asked if Ravenna Hub had its security reviewed by a third party, and if so, by whom. Laird did not say, and declined to comment further.
It is unclear who, if anyone, oversees cybersecurity at VentureEd and the Ravenna Hub.
The vulnerability is known as insecure direct object reference, or IDOR, a common security flaw that allows users to access stored information due to weak or nonexistent security controls on the servers involved.
In practice, the bug allowed any logged-in user to access another student’s data, including their personal information, by modifying the unique number associated with a student’s profile using their browser’s address bar.
In the case of Ravenna Hub, student numbers are sequential, meaning that it was possible for any user to access another student’s data by changing the profile number by one or more digits.
When TechCrunch created a new account with test data, we found that the web address contained a seven-digit number. Therefore, there were slightly more than 1.63 million records before ours that were accessible to any other user.
This is the latest security bug involving simple security flaws that affect children’s personal information. In January, the online coaching site UStrive disclosed the personal information of its users, many of whom are still in school.
