Bug in student admissions website exposed children’s personal information
Source: TechCrunch
A student admissions website used by families to enroll children into schools has fixed a security lapse that was exposing their personal information.
The website, Ravenna Hub, which lets parents apply and track the status of their kids’ applications across thousands of schools, was allowing any logged‑in user to access the personally identifiable data associated with any other user, including their children.
The exposed data included children’s names, dates of birth, addresses, pictures, and details about their school. Email addresses and phone numbers of parents, as well as information about children’s siblings, were also exposed.
Florida‑based VentureEd Solutions, which develops and maintains Ravenna Hub, says on its website that it serves over a million students and processes hundreds of thousands of applications a year.
Vulnerability Details
The flaw is an insecure direct object reference (IDOR), a common security flaw that allows users to access stored information because of weak or non‑existent security controls on the concerned servers.
In practice, the bug allowed any logged‑in user to access another student’s data by modifying the unique number associated with a student’s profile using the web browser’s address bar. In Ravenna Hub, student numbers are sequential, so a user could retrieve another student’s data simply by changing the profile number by one or more digits.
When TechCrunch created a new account with test data, the web address contained a seven‑digit number. This meant there were slightly more than 1.63 million records prior to the test account that were accessible to any other user.
Response from VentureEd
TechCrunch first learned of the vulnerability on Wednesday and alerted the company. VentureEd fixed the bug the same day, but TechCrunch held the report until the fix could be verified.
Nick Laird, chief executive of VentureEd Solutions, told TechCrunch in an email that the company was able to replicate the issue and has addressed the vulnerability. Laird said the company was investigating the incident but would not commit to notifying users about the security lapse, nor confirm whether the company could check for any improper access to other users’ data. When asked if Ravenna Hub had undergone a third‑party security review, Laird declined to comment.
It is not clear who, if anyone, oversees cybersecurity at VentureEd and Ravenna Hub.
Related Incidents
This is the latest security lapse involving simple security flaws affecting the personal information of children. In January, online mentoring site UStrive exposed the personal information of its users, many of whom are still in school.