German student app victim of data breach
Media-photo file courtesy © Microsoft
Scoolio’s API flaw exposed the data of 400,000 German students. According to Bleeping Computer, Lilith Wittmann, a security researcher from the computer security collective “Zerforchung” discovered the bug and immediately disclosed her findings to the Scoolio team.
Using a proxy from the person in the middle, the researcher was able to observe the communication between the app and the server on their own profile and work their way around the endpoints of the APIs being used.
This could have led to a data breach (where information could be stolen or removed from a system without the knowledge or permission of the owner of the system).
With Scoolio, students can store schedules, homework, and other plans. The application generates income through advertising.
Nathanael Coffing, CSO and co-founder of Cloudentity, assesses the impact of this latest data breach on the education sector.
According to Coffing, the data breach was a fundamental design flaw: “As businesses today increasingly look to application programming interfaces (APIs) to improve user experience and boost business performance. innovation, they often overlook the need to protect these services with specific authorization and consent. . “
Application Programming Interfaces (APIs) are software that allow two different applications to talk to and work together. Although APIs are very useful, they are one of a number of database vulnerabilities.
He adds that: “In this case, the data exposed was more than enough for the cybercriminals to launch highly targeted phishing attacks against the affected users. Any organization responsible for personally identifiable information (PII) of consumers should prioritize the implementation of appropriate security guardrails to mitigate the risks of data leakage and exposure.
Too many organizations are running production APIs that only have a basic API security policy at best, and many have no policy at all.
In terms of defying risk and avoiding such events in the future, Coffing advises: “Applying granular context-based authorization on all APIs and outsourcing it from code to the API prevents hackers from attacking vulnerabilities that expose sensitive personal information and guarantees authorization and consent guarantees. cover all users.