Scoolio’s API flaw has exposed the data of 400,000 German students. According to Bleeping Computer, Lilith Wittmann, a security researcher from the IT security collective “Zerforchung” discovered the bug and immediately disclosed their findings to the Scoolio team.
Using a person-in-the-middle proxy, the researcher was able to observe the communication between the app and the server on their own profile and work their way around the endpoints of the APIs used.
This could have led to a data breach (where information could be stolen or taken from a system without the knowledge or authorization of the system’s owner).
With Scoolio, students can store timetables, homework and other plans. The app generates revenue from advertising.
Nathanael Coffing, CSO and co-founder of Cloudentity, assess the impact of this latest data breach impacting upon the education sector.
According to Coffing behind the data breach was a fundamental design flaw: “As today’s enterprises increasingly turn to application programming interfaces (APIs) to enhance user experience and drive innovation, they often overlook the need to protect these services with fine-grained authorization and consent.”
Application Programming Interfaces (APIs) are software that allows two different applications to talk to each other and work together. While APIs are very useful, they form part of a high number of database vulnerabilities.
He adds that: “In this case, the exposed data was more than enough for cybercriminals to launch highly targeted phishing attacks against the impacted users. Any organization responsible for consumers’ personally identifiable information (PII) must prioritize implementing proper security guardrails to mitigate data leakage and exposure risks.”
Too many organizations are running production APIs that have at best only a basic strategy for API security, and many have no strategy at all.
In terms of challenging the risk and avoiding such events in the future, Coffing advises: “Enforcing context-based granular authorization on all APIs and externalizing it from the API code prevents hackers from attacking flaws that expose sensitive personal information and ensures authorization and consent safeguards cover all users.”