Student raised security concerns in Mobile Guardian MDM weeks before cyberattack

Comment
A person claiming to be a student in Singapore publicly posted documentation showing lax security in a widely popular school mobile device management service called Mobile Guardian, weeks before a cyberattack on the company resulted in the mass-wiping of student devices and widespread disruption.
In an email with TechCrunch, the student — who declined to provide his name citing fear of legal retaliation — said he reported the bug to the Singaporean government by email in late May but could not be sure that the bug was ever fixed. The Singaporean government told TechCrunch that the bug was fixed prior to Mobile Guardian’s cyberattack on August 4, but the student said that the bug was so easy to find and trivial for an unsophisticated attacker to exploit, that he fears there are more vulnerabilities of similar exploitability.
The U.K.-based Mobile Guardian, which provides student device management software in thousands of schools around the world, disclosed the breach on August 4 and shut down its platform to block the malicious access, but not before the intruder used their access to remotely wipe thousands of student devices.
A day later, the student published details of the vulnerability he had previously sent to the Singaporean Ministry of Education, a major customer of Mobile Guardian since 2020.
In a Reddit post, the student said the security bug he found in Mobile Guardian granted any signed-in user “super admin” access to the company’s user management system. With that access, the student said, a malicious person could perform actions that are reserved for school administrators, including the ability to “reset every person’s personal learning device,” he said. 
The student wrote that he reported the issue to the Singaporean education ministry on May 30. Three weeks later, the ministry responded to the student saying the flaw is “no longer a concern,” but declined to share any further details with him, citing “commercial sensitivity,” according to the email seen by TechCrunch. 
When reached by TechCrunch, the ministry confirmed it had received word of the bug from the security researcher, and that “the vulnerability had been picked up as part of an earlier security screening, and had already been patched,” as per spokesperson Christopher Lee.
“We also confirmed that the disclosed exploit was no longer workable after the patch. In June, an independent certified penetration tester conducted a further assessment, and no such vulnerability was detected,” said the spokesperson.
“Nevertheless, we are mindful that cyber threats can evolve quickly and new vulnerabilities discovered,” the spokesperson said, adding that the ministry “regards such vulnerability disclosures seriously and will investigate them thoroughly.”
The student described the bug to TechCrunch as a client-side privilege escalation vulnerability, which allowed anyone on the internet to create a new Mobile Guardian user account with an extremely high level of system access using only the tools in their web browser. This was because Mobile Guardian’s servers were allegedly not performing the proper security checks and trusting responses from the user’s browser.
The bug meant that the server could be tricked into accepting the higher level of system access for a user’s account by modifying the network traffic in the browser.
TechCrunch was provided a video — recorded on May 30, the day of disclosure — demonstrating how the bug works. The video shows the user creating a “super admin” account using only the browser’s in-built tools to modify the network traffic containing the user’s role to elevate that account’s access from “admin” to “super admin.”
The video showed the server accepting the modified network request, and when logged in as that newly created “super admin” user account, granted access to a dashboard displaying lists of Mobile Guardian enrolled schools.
Mobile Guardian CEO Patrick Lawson did not respond to multiple requests for comment prior to publication, including questions about the student’s vulnerability report and whether the company fixed the bug.
After we contacted Lawson, the company updated its statement as follows: “Internal and third party investigations into previous vulnerabilities of the Mobile Guardian Platform are confirmed to have been resolved and no longer pose a risk.” The statement did not say when the previous flaws were resolved nor did the statement explicitly rule out a link between the previous flaws and its August cyberattack. 
This is the second security incident to beset Mobile Guardian this year. In April, the Singaporean education ministry confirmed the company’s management portal had been hacked and the personal information of parents and school staff from hundreds of schools across Singapore compromised. The ministry attributed the breach to Mobile Guardian’s lax password policy, rather than a vulnerability in its systems.
Do you know more about the Mobile Guardian cyberattack? Are you affected? Get in touch. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849, or by email. You can send files and documents via SecureDrop.
Every weekday and Sunday, you can get the best of TechCrunch’s coverage.
Startups are the core of TechCrunch, so get our best coverage delivered weekly.
The latest Fintech news and analysis, delivered every Tuesday.
TechCrunch Mobility is your destination for transportation news and insight.
By submitting your email, you agree to our Terms and Privacy Notice.
Tragedy has again struck a famous Silicon Valley family. Former YouTube CEO Susan Wojcicki just passed away, according to social media posts by her husband, Dennis Troper, and by Google…
This is the second cyberattack targeting the school device management service Mobile Guardian this year.
Featured Article
India’s wearable market declined in Q2, primarily because smartwatch are not attracting consumers.
Anysphere, a two-year-old startup that’s developed an AI-powered coding assistant called Cursor, has raised over $60 million in a Series A financing at a $400 million post-money valuation, two sources…
The internet is full of deepfakes — and most of them are nudes. According to a report from Home Security Heroes, deepfake porn makes up 98% of all deepfake videos…
Researchers found flaws that could allow anyone to spy on the owners of Ecovacs home robots by hijacking their cameras and microphones.
When digging into the data to determine how large the exodus everyone on Threads is talking about actually is, we oddly came up short.
Substack is opening up to more users with its recent announcement that anyone can now publish content on its platform without setting up a publication. With the change, Substack is…
WeRide, a Chinese autonomous vehicle company, is officially gearing up for a U.S. public debut, over a year after China started easing its effective ban of foreign IPOs.  WeRide registered…
Welcome to Startups Weekly — your weekly recap of everything you can’t miss from the world of startups. Want it in your inbox every Friday? Sign up here. This week we…
Featured Article
Jon DiMaggio used sockpuppet accounts, then his own identity, to infiltrate LockBit and gain the trust of its alleged admin, Dmitry Khoroshev.
The U.K. government has indicated it may seek stronger powers to regulate tech platforms following days of violent disorder across England and Northern Ireland fueled by the spread of online…
The Startup Battlefield is the crown jewel of Disrupt, and we can’t wait to see which of the thousands of applicants will be selected to pitch to panels of top-tier VCs…
The startup’s core technology is a proprietary material that absorbs moisture from the air, allowing air conditioning to cool buildings more efficiently.
YouTube’s latest test involves a sleep timer that pauses the video after, well, a set period of time.
Ola Electric, India’s largest electric two-wheeler maker, surged by 20% on its public debut on Friday, making it the biggest listing among Indian firms in two years. Shares of the…
Rocket Lab surpassed $100 million in quarterly revenue for the first time, a 71% increase from the same quarter of last year. This is just one of several shiny accomplishments…
In 1996, two companies, Patersons HR and Payroll Solutions, formed a venture called CloudPay to provide payroll and payments services to enterprise clients. CloudPay grew quietly over the next several…
The vulnerabilities allowed one security researcher to peek inside the leak sites without having to log in.
Featured Article
The tech layoff wave is still going strong in 2024. Following significant workforce reductions in 2022 and 2023, this year has already seen 60,000 job cuts across 254 companies, according to independent layoffs tracker Layoffs.fyi. Companies like Tesla, Amazon, Google, TikTok, Snap and Microsoft have conducted sizable layoffs in the…
A new “beta rabbit” mode adds some conversational AI chops to the Rabbit r1, particularly in more complex or multi-step instructions.
Los Angeles is notorious for its back-to-back traffic. Three events that promise to bring in millions of spectators from around the world — the 2026 World Cup, the Super Bowl…
Featured Article
Amazon’s decision to overlook quick-commerce in India is now looking like a significant misstep.
OpenAI’s GPT-4o, the generative AI model that powers the recently launched alpha of Advanced Voice Mode in ChatGPT, is the company’s first trained on voice as well as text and…
On Thursday, Box filled in a missing piece on its AI platform when it bought automated metadata extracting startup, Alphamoon.
OpenAI has announced a new appointment to its board of directors: Zico Kolter. Kolter, a professor and director of the machine learning department at Carnegie Mellon, predominantly focuses his research…
Count Spotify and Epic Games among the Apple critics who are not happy with the iPhone maker’s newly revised compliance plan for the European Union’s Digital Markets Act (DMA). Shortly…
Thursday seeks to shake up conventional online dating in a crowded market. The app, which recently expanded to San Francisco, fosters intentional dating by restricting user access to Thursdays. At…
AI companies are gobbling up investor money and securing sky-high valuations early in their life cycle. This dynamic has many calling the AI industry a bubble. Nick Frosst, a co-founder…
Instagram is rolling out the ability for users to add up to 20 photos or videos to their feed carousels, as the platform embraces the trend of “photo dumps.” Back…
Powered by WordPress VIP

source
Sponsor:News technical sponsor
Sponsor:News AI sponsor
Sponsor: AI sponsor
Sponsor: AI sponsor

Leave a Comment

Vélemény, hozzászólás?

Az e-mail címet nem tesszük közzé. A kötelező mezőket * karakterrel jelöltük