- Scoolio school app in Germany made using government investment group money had an API flaw that permited extracting sensitive user data.
- The app gathered user data even after it said it does not collect username, email, school, class and other personal information.
- The fix came only after 30 days had passed once a Zerforchung IT collective informed the company.
A recently discovered API flaw in Scoolio, an app used by schoolchildren in Germany, has compromised the sensitive information of 400,000 students. Lilith Wittmann from the IT security collective Zerforchung made the discovery, following which the apps' team was contacted. Scoolio uses targeted advertising based on data collection from users, most of whom are students, without their consent. However, it states that it does not gather any user data.
According to Wittmann's report, Scoolio’s API flaws allow data extraction based on user ID. Any person using this process can derive the user's nickname, email addresses, GPS history, school name and class, interests, UUID details, and personal details like origin, religion, sexuality, etc. The researcher also provided a fictitious sample of data types the flaw exposed.
The researcher also stated that the API fix to prevent data leak was rather simple, and still, it came in 30 days, on October 25, 2021, after informing them of the leak on September 21, 2021. She states further that it is not possible to mention how many students were compromised since Scoolio artificially inflates user numbers. The company behind the app has released an official document detailing the fix and confirmed the same.
Scoolio lets users access tools for time management, homework planning, staying in touch with peers, and even allows them to get in touch with companies for job openings or internship opportunities. The company behind it partnered with many German schools, marketing it as a remote teaching assistance app. It was developed using funding for three state-owned investment groups: SIB Innovations und Beteiligungsgesellschaft mbH, Technologiegründerfonds Sachsen, and Kreissparkasse Bautzen, so many students are pushed into using the app because of partnerships and government initiatives endorsing the same.
The main problem is there's no audit for security gaps. A project started in August called "EduCheck Digital" (EDCD) is trying to determine which are the educational media that meet the German data protection regulations and have the green light for use in schools.