Online coaching website UStrive has resolved a security bug that exposed the personal information of its users, including children.
The exposed data included the full names, email addresses, phone numbers, and other non-public and user-supplied information of UStrive users, which was accessible to any other logged-in user.
The nonprofit, formerly known as Strive for College, provides online mentoring to high school and college students through its platform. The agency did not specify whether it plans to notify users of the security incident.
Last week, a person who asked not to be named alerted TechCrunch to the security flaw in UStrive’s mentoring platform. By examining network traffic while logging in and navigating the site — such as viewing user profiles — anyone could see streams of users’ personal information in their browser tools.
The person said UStrive relied on a vulnerable Amazon-hosted GraphQL endpoint — a type of query database interface — that allowed access to groups of user data stored on UStrive’s servers. Some user records contained more data than others, including student-provided information such as their gender and date of birth. The person said there were at least 238,000 user records at the time of the discovery. UStrive meanwhile states about it homepage that more than “1.1 million students have selected a UStrive mentor.”
TechCrunch confirmed the data exposure after a new user account was created on UStrive and notified company executives via email on Thursday.
John D. McIntyre, an attorney with the Virginia law firm McIntyre Stein, which represents UStrive, said in a letter provided to TechCrunch later Thursday that UStrive is “currently involved in litigation with one of its former software engineers” and therefore the company is “somewhat limited in its ability to respond.”
TechCrunch told McIntyre that the company at the time still had a security flaw that exposed children’s private and personal information, and asked McIntyre to notify TechCrunch if UStrive planned to fix the data exposure and, if so, by when.
McIntyre did not respond to our inquiry.
In response to TechCrunch’s initial approach, UStrive CTO Dwamian Mcleish told TechCrunch via email late Thursday that the report had been “restored.”
TechCrunch sent Mcleish follow-up emails with more questions about the incident, including: whether the company plans to notify its users of the security flaw, whether the company has the ability to review whether there was improper or malicious access to user data, and whether the company’s platform had undergone a security audit and, if so, by whom.
UStrive founder Michael J. Carter did not comment for this article.
