400,000 German Students’ Sensitive Data Exposed by API Flaw

  • Scoolio school app in Germany made using government investment group money had an API flaw that permited extracting sensitive user data.
  • The app gathered user data even after it said it does not collect username, email, school, class and other personal information.
  • The fix came only after 30 days had passed once a Zerforchung IT collective informed the company.

A recently discovered API flaw in Scoolio, an app used by schoolchildren in Germany, has compromised the sensitive information of 400,000 students. Lilith Wittmann from the IT security collective Zerforchung made the discovery, following which the apps' team was contacted. Scoolio uses targeted advertising based on data collection from users, most of whom are students, without their consent. However, it states that it does not gather any user data.

According to Wittmann's report, Scoolio’s API flaws allow data extraction based on user ID. Any person using this process can derive the user's nickname, email addresses, GPS history, school name and class, interests, UUID details, and personal details like origin, religion, sexuality, etc. The researcher also provided a fictitious sample of data types the flaw exposed.

source: Zerforschung

The researcher also stated that the API fix to prevent data leak was rather simple, and still, it came in 30 days, on October 25, 2021, after informing them of the leak on September 21, 2021. She states further that it is not possible to mention how many students were compromised since Scoolio artificially inflates user numbers. The company behind the app has released an official document detailing the fix and confirmed the same.

Scoolio lets users access tools for time management, homework planning, staying in touch with peers, and even allows them to get in touch with companies for job openings or internship opportunities. The company behind it partnered with many German schools, marketing it as a remote teaching assistance app. It was developed using funding for three state-owned investment groups: SIB Innovations und Beteiligungsgesellschaft mbH, Technologiegründerfonds Sachsen, and Kreissparkasse Bautzen, so many students are pushed into using the app because of partnerships and government initiatives endorsing the same.

The main problem is there's no audit for security gaps. A project started in August called "EduCheck Digital" (EDCD) is trying to determine which are the educational media that meet the German data protection regulations and have the green light for use in schools.

Latest
How to Watch European Athletics Championships 2022 Online From Anywhere
The Athletics action is about to get underway at the 2022 European Championships, and we cannot wait to watch our favorite track...
How to Watch Legacy: The True Story of the LA Lakers Online From Anywhere
A new documentary series featuring LeBron James, Shaquille O'Neal, Magic Johnson, and more will soon premiere, and we're excited to watch it...
How to Watch Sky High Club: Scotland and Beyond Online From Anywhere
The show that tells the stories of the young crew members of the UK's largest regional airline will premiere soon, and we...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]