A security researcher was able to exploit an API flaw in Scoolio, and access the personal data of nearly 400,000 students registered in it.
Scoolio is a german app for students, used mainly for educational updates, record keeping, and networking. After informing the flaw to Scoolio’s developer, a fix was released this week to patch the bug.
Scoolio Leaked Student Data
Scoolio is a student community app for german students, used for tutoring, building management skills, homework planning, networking with peers, and even finding job opportunities and internships.
The platform is backed by over three state-owned investment groups, namely Technologiegründerfonds Sachsen, SIB Innovations – und Beteiligungsgesellschaft mbH and Kreissparkasse Bautzen. Thus, it’s trusted by all students and educational institutions in the country, and used in daily life.
In September, a security researcher named Lilith Wittmann of Zerforchung firm has discovered a flawed API in Scoolio, through which she was able to access the personal data of nearly 400,000 users. The exposed data includes
- User nickname
- User and parent email addresses
- GPS location at which the app was last opened
- Name of school and class
- Interests
- UUID details
- Personality traits (origin, religion, sexuality)
Though Scoolio boasts about having 1.8 million registered students, Wittmann was able to find only 400,000 records, as the rest were duped by Scoolio with partial accounts. She stated that, even if a potential user downloaded and opened the app, he/she will be given a UUID.
Not considering such empty accounts, the actual number would be around 400,000. Wittmann disclosed the flaw to Scoolio on September 21st this year, to which they responded with a patch on 25th October 2021.
While the API flaw was patched now, Wittmann wished for a quicker response considering the nature of the data leak and the simplicity of the patching process. Yet, she was appreciated by Scoolio for the disclosure and assured that none have accessed the exposed records before her.
