400,000 German Students’ Sensitive Data Exposed by API Flaw

By Supriyo Chatterji / October 28, 2021

A recently discovered API flaw in Scoolio, an app used by schoolchildren in Germany, has compromised the sensitive information of 400,000 students. Lilith Wittmann from the IT security collective Zerforchung made the discovery, following which the apps' team was contacted. Scoolio uses targeted advertising based on data collection from users, most of whom are students, without their consent. However, it states that it does not gather any user data.

According to Wittmann's report, Scoolio’s API flaws allow data extraction based on user ID. Any person using this process can derive the user's nickname, email addresses, GPS history, school name and class, interests, UUID details, and personal details like origin, religion, sexuality, etc. The researcher also provided a fictitious sample of data types the flaw exposed.

source: Zerforschung

The researcher also stated that the API fix to prevent data leak was rather simple, and still, it came in 30 days, on October 25, 2021, after informing them of the leak on September 21, 2021. She states further that it is not possible to mention how many students were compromised since Scoolio artificially inflates user numbers. The company behind the app has released an official document detailing the fix and confirmed the same.

Scoolio lets users access tools for time management, homework planning, staying in touch with peers, and even allows them to get in touch with companies for job openings or internship opportunities. The company behind it partnered with many German schools, marketing it as a remote teaching assistance app. It was developed using funding for three state-owned investment groups: SIB Innovations und Beteiligungsgesellschaft mbH, Technologiegründerfonds Sachsen, and Kreissparkasse Bautzen, so many students are pushed into using the app because of partnerships and government initiatives endorsing the same.

The main problem is there's no audit for security gaps. A project started in August called "EduCheck Digital" (EDCD) is trying to determine which are the educational media that meet the German data protection regulations and have the green light for use in schools.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari