In a striking revelation, a Singapore-based student shared documents online demonstrating the poor security measures of a popular school mobile management service known as Mobile Guardian, just weeks before the company faced a cyberattack leading to significant data wipeouts and disruption across student devices.
Communicating with TechCrunch through email, the student, who opted to remain anonymous due to concerns over potential legal consequences, disclosed that he had alerted the Singapore government about the security flaw via email in late May. However, he remained uncertain about the issue being resolved. The Singapore government, on its part, assured TechCrunch that the flaw had been addressed before the cyberattack on Mobile Guardian on August 4. Nevertheless, the student expressed apprehension that due to the ease of discovering and exploiting the bug, other similar vulnerabilities might still exist.
Mobile Guardian, a U.K.-based provider of device management software for students utilized by thousands of schools globally, acknowledged the security breach on August 4. They subsequently disabled their platform to prevent further unauthorized access. Unfortunately, this action came after the hacker had already used their access to remotely clear data on thousands of student devices.
Following the breach, the student shared the vulnerability details on a public platform that he had previously conveyed to the Singapore Ministry of Education, a significant client of Mobile Guardian since 2020.
In a post on Reddit, he explained how the flaw in Mobile Guardian allowed any logged-in user to gain “super admin” rights within the company’s user management panel. This level of access could enable a malicious user to perform tasks usually reserved for school administrators, such as resetting all personal learning devices, he elaborated.
The issue was reported to the education ministry on May 30, and after three weeks, the ministry responded, indicating that the flaw was no longer a concern but did not provide further clarification, citing “commercial sensitivity,” as per the email shared with TechCrunch.
Upon contacting, a ministry spokesperson confirmed the report of the bug by the security investigator and stated that it had been identified and patched in a prior security review. Christopher Lee, the spokesperson, assured that an independent security assessment in June found no such vulnerabilities.
Despite these assurances, the ministry remains vigilant about the evolving nature of cyber threats and takes disclosures of vulnerabilities seriously, committing to thorough investigations, added the spokesperson.
Vulnerability exploitable through any web browser
The student detailed to TechCrunch that the vulnerability was a client-side privilege escalation flaw, essentially allowing anyone online to sign-up for a high-privilege Mobile Guardian account using just their web browser tools. This was due to Mobile Guardian’s servers failing to conduct essential security verifications and overly trusting the client-side inputs.
By altering the network traffic via browser tools, a server could be deceived into granting an account a higher access level, the student demonstrated through a video made on the day of the vulnerability disclosure.
The video illustrated the server accepting the altered network request and granting the “super admin” user account access to a dashboard listing Mobile Guardian enrolled schools, showing the flaw’s potential impact.
Patrick Lawson, CEO of Mobile Guardian, did not respond to inquiries about the vulnerability report and whether the flaw had been rectified before publication. Following our queries, the company stated that internal and external reviews confirmed the resolution of previously identified vulnerabilities, affirming they no longer pose a threat, without specifying the resolution timeline or addressing a connection to the cyberattack in August.
This incident marked Mobile Guardian’s second security setback for the year. Earlier, in April, the Singapore Ministry of Education confirmed a hack into the company’s management portal that compromised personal details of parents and staff from numerous schools. The breach was attributed to insufficient password policies at Mobile Guardian rather than a system vulnerability.
If you have more information about the Mobile Guardian cyberattack or have been affected, we encourage you to reach out. This reporter is available through Signal and WhatsApp at +1 646-755-8849 or via email. SecureDrop is also available for sending files and documents.
Compiled by Techarena.au.
Fanpage:Â TechArena.au
Watch more about AI – Artificial Intelligence
