Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
An official student website that families use to enroll children in school has fixed a security issue that exposed their personal information.
The website, Ravenna Hub, which allows parents to register and monitor their children’s applications at thousands of schools, was allowing any entrant to access information about anyone else, including their children.
The information displayed includes children’s names, birthdays, addresses, photos, and school information. The parents’ email addresses and phone numbers, as well as information about the children’s siblings, were also revealed.
Florida-based VentureEd Solutions, which develops and maintains the Ravenna Hub, he says on its website that it supports more than a million students, and organizes hundreds of thousands of programs annually.
TechCrunch first learned of the threat on Wednesday and shortly after informing the company. VentureEd fixed the bug the same day, but TechCrunch withheld the report until we confirmed the bug had been fixed.
Nick Laird, CEO of VentureEd Solutions, told TechCrunch in an email that the company was able to replicate the issue and has resolved the issue.
Laird said the company is investigating what happened, but he would not commit to informing users about the security breach, or say – when asked by TechCrunch – whether the company has the ability to check if there is a wrong access to other users. We also asked if the Ravenna Hub was managed by someone else, and if so, who. Laird did not say, and declined to comment further.
It is unclear who, if anyone, is in charge of cybersecurity at VentureEd and the Ravenna Hub.
This risk is known as direct exposure exposure, or IDOR, a common security fault which allows users to access information stored due to weak or non-existent controls on the affected servers.
Instead, the flaw allows any hacker to access another student’s data, including personal information, by changing the unique code associated with that student’s profile using their browser address.
In the case of Ravenna Hub, student numbers are sequential, meaning that it was possible for any user to access the data of another student by replacing the record number with one or more numbers.
When TechCrunch created a new test account, we found that the address contained seven digits. So, there were over 1.63 million records before ours that were accessed by anyone else.
This is the latest security breach involving simple security flaws that affect children’s information. In January, UStrive’s online support website revealed information about its usersmost of them are still in school.
