Connect with us

Hi, what are you looking for?

Social Media

German student app caught out in data breach

Another data leak issue has been linked to an API issue, this time affecting the education sector.

Laptop Computer Browsing
File media-photo courtesy © Microsoft
File media-photo courtesy © Microsoft

Scoolio’s API flaw has exposed the data of 400,000 German students. According to Bleeping Computer, Lilith Wittmann, a security researcher from the IT security collective “Zerforchung” discovered the bug and immediately disclosed their findings to the Scoolio team.

Using a person-in-the-middle proxy, the researcher was able to observe the communication between the app and the server on their own profile and work their way around the endpoints of the APIs used.

This could have led to a data breach (where information could be stolen or taken from a system without the knowledge or authorization of the system’s owner).

With Scoolio, students can store timetables, homework and other plans. The app generates revenue from advertising.

Nathanael Coffing, CSO and co-founder of Cloudentity, assess the impact of this latest data breach impacting upon the education sector.

According to Coffing behind the data breach was a fundamental design flaw: “As today’s enterprises increasingly turn to application programming interfaces (APIs) to enhance user experience and drive innovation, they often overlook the need to protect these services with fine-grained authorization and consent.”

Application Programming Interfaces (APIs) are software that allows two different applications to talk to each other and work together. While APIs are very useful, they form part of a high number of database vulnerabilities.

He adds that: “In this case, the exposed data was more than enough for cybercriminals to launch highly targeted phishing attacks against the impacted users. Any organization responsible for consumers’ personally identifiable information (PII) must prioritize implementing proper security guardrails to mitigate data leakage and exposure risks.”

Too many organizations are running production APIs that have at best only a basic strategy for API security, and many have no strategy at all.

In terms of challenging the risk and avoiding such events in the future, Coffing  advises: “Enforcing context-based granular authorization on all APIs and externalizing it from the API code prevents hackers from attacking flaws that expose sensitive personal information and ensures authorization and consent safeguards cover all users.”

Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:


There are two confirmed cases of the omicron variant of the coronavirus in Ottawa, the Ontario government announced Sunday.


Sweden's first female prime minister Magdalena Andersson, leader of the minority Social Democrats, was reappointed on Monday.


The hotel near the airport is where most of the 61 people who tested positive for coronavirus after arriving from South Africa are in...


G7 health ministers on Monday called for "urgent action" to combat the highly transmissible new Omicron Covid-19 strain.