Connect with us

Hi, what are you looking for?

Social Media

German student app caught out in data breach

Another data leak issue has been linked to an API issue, this time affecting the education sector.

Laptop Computer Browsing
File media-photo courtesy © Microsoft
File media-photo courtesy © Microsoft

Scoolio’s API flaw has exposed the data of 400,000 German students. According to Bleeping Computer, Lilith Wittmann, a security researcher from the IT security collective “Zerforchung” discovered the bug and immediately disclosed their findings to the Scoolio team.

Using a person-in-the-middle proxy, the researcher was able to observe the communication between the app and the server on their own profile and work their way around the endpoints of the APIs used.

This could have led to a data breach (where information could be stolen or taken from a system without the knowledge or authorization of the system’s owner).

With Scoolio, students can store timetables, homework and other plans. The app generates revenue from advertising.

Nathanael Coffing, CSO and co-founder of Cloudentity, assess the impact of this latest data breach impacting upon the education sector.

According to Coffing behind the data breach was a fundamental design flaw: “As today’s enterprises increasingly turn to application programming interfaces (APIs) to enhance user experience and drive innovation, they often overlook the need to protect these services with fine-grained authorization and consent.”

Application Programming Interfaces (APIs) are software that allows two different applications to talk to each other and work together. While APIs are very useful, they form part of a high number of database vulnerabilities.

He adds that: “In this case, the exposed data was more than enough for cybercriminals to launch highly targeted phishing attacks against the impacted users. Any organization responsible for consumers’ personally identifiable information (PII) must prioritize implementing proper security guardrails to mitigate data leakage and exposure risks.”

Too many organizations are running production APIs that have at best only a basic strategy for API security, and many have no strategy at all.

In terms of challenging the risk and avoiding such events in the future, Coffing  advises: “Enforcing context-based granular authorization on all APIs and externalizing it from the API code prevents hackers from attacking flaws that expose sensitive personal information and ensures authorization and consent safeguards cover all users.”

Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:

World

Tampering with witnesses is an extremely bad, extremely dumb, move.

World

In a 6-3 ruling, the Supreme Court ruled against the EPA, hindering the government from tackling the climate crisis.

World

You can’t just ring someone and ask them to fix America. Where would you get the parts, to start with?

World

The 30 x 30 plan would see 30 percent of Earth's land and oceans become protected zones by 2030 - Copyright AFP GABRIEL BOUYSThomas...