Connect with us

Hi, what are you looking for?

Social Media

German student app caught out in data breach

Another data leak issue has been linked to an API issue, this time affecting the education sector.

Laptop Computer Browsing
File media-photo courtesy © Microsoft
File media-photo courtesy © Microsoft

Scoolio’s API flaw has exposed the data of 400,000 German students. According to Bleeping Computer, Lilith Wittmann, a security researcher from the IT security collective “Zerforchung” discovered the bug and immediately disclosed their findings to the Scoolio team.

Using a person-in-the-middle proxy, the researcher was able to observe the communication between the app and the server on their own profile and work their way around the endpoints of the APIs used.

This could have led to a data breach (where information could be stolen or taken from a system without the knowledge or authorization of the system’s owner).

With Scoolio, students can store timetables, homework and other plans. The app generates revenue from advertising.

Nathanael Coffing, CSO and co-founder of Cloudentity, assess the impact of this latest data breach impacting upon the education sector.

According to Coffing behind the data breach was a fundamental design flaw: “As today’s enterprises increasingly turn to application programming interfaces (APIs) to enhance user experience and drive innovation, they often overlook the need to protect these services with fine-grained authorization and consent.”

Application Programming Interfaces (APIs) are software that allows two different applications to talk to each other and work together. While APIs are very useful, they form part of a high number of database vulnerabilities.

He adds that: “In this case, the exposed data was more than enough for cybercriminals to launch highly targeted phishing attacks against the impacted users. Any organization responsible for consumers’ personally identifiable information (PII) must prioritize implementing proper security guardrails to mitigate data leakage and exposure risks.”

Too many organizations are running production APIs that have at best only a basic strategy for API security, and many have no strategy at all.

In terms of challenging the risk and avoiding such events in the future, Coffing  advises: “Enforcing context-based granular authorization on all APIs and externalizing it from the API code prevents hackers from attacking flaws that expose sensitive personal information and ensures authorization and consent safeguards cover all users.”

Avatar photo
Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, business, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:


The AfD bans its leading candidate Maximilian Krah from EU election campaign events over a series of scandals - Copyright ROSCOSMOS/AFP/File HandoutHui Min NEOGermany’s...

Tech & Science

housands of tech enthusiasts filed into Europe's self-declared biggest startup event VivaTech in Paris on Wednesday.


On Wednesday, May 22, "The Outsiders" released their new musical soundtrack. 


Nvidia says nations interested in building their own 'sovereign AI' are among the customers driving demand for its chips - Copyright GETTY IMAGES NORTH...