Exclusive: Bug in student admissions website exposed children's personal information

Exclusive: Bug in student admissions website exposed children's personal information

Briefly

"A student admissions website used by families to enroll children into schools has fixed a security lapse that was exposing their personal information. The website, Ravenna Hub, which lets parents apply and track the status of their kids' applications across thousands of schools, was allowing any logged-in user to access the personally identifiable data associated with any other user, including their children."

"The exposed data includes children's names, dates of birth, addresses, pictures, and details about their school. Email addresses and phone numbers of parents, as well as information about children's siblings, were also exposed. Florida-based VentureEd Solutions, which develops and maintains Ravenna Hub, says on its website that it serves over a million students, and processes hundreds of thousands of applications a year."

"Nick Laird, the chief executive of VentureEd Solutions, told TechCrunch in an email that the company was able to replicate the issue and has addressed the vulnerability. Laird said the company was investigating the incident, but he would not commit to notifying users about the security lapse, or say - when asked by TechCrunch - if the company has the ability to check if there was any improper access to other users' data."

"We also asked if Ravenna Hub had its security checked by a third-party, and if so, by whom. Laird would not say, and declined to comment further. It's not clear who, if anyone, oversees cybersecurity at VentureEd and Ravenna Hub. The vulnerability is known as an insecure direct object reference, or IDOR, a common security flaw that allows users to access stored information because of weak or non-existent security controls on the concerned servers."