Bug in student admissions website exposed children’s personal information

A significant security flaw on the student admissions platform Ravenna Hub has been addressed, which previously allowed unauthorized access to sensitive personal information of children. This website, utilized by families to enroll their children in various schools, was inadvertently permitting any logged-in user to view the identifiable data of others, including their children. The compromised information encompassed names, birth dates, addresses, photographs, and school details of the students. Additionally, the site exposed parents' email addresses and phone numbers, along with information about siblings. Managed by Florida-based VentureEd Solutions, Ravenna Hub serves over a million students and processes hundreds of thousands of applications annually. TechCrunch discovered the vulnerability and promptly informed VentureEd, which managed to rectify the issue on the same day. However, TechCrunch chose to delay the report until the fix was confirmed. Nick Laird, the CEO of VentureEd Solutions, acknowledged in an email that the company successfully replicated the issue and resolved the vulnerability. He mentioned that an investigation is underway but did not confirm if users would be notified about the security breach or if there was a means to check for any unauthorized access to data. The vulnerability is categorized as an insecure direct object reference (IDOR), a prevalent security flaw that enables users to access data without adequate security measures in place. Essentially, this flaw allowed any logged-in user to view another student's information by simply altering the unique identifier associated with a student's profile in their browser's address bar. Given that student numbers are sequential, it was easy for users to access the data of other students by adjusting the profile number. Upon creating a new account for testing, TechCrunch identified that the URL contained a seven-digit number, indicating that over 1.63 million records were potentially accessible to any user. This incident marks yet another troubling security breach involving elementary security oversights that jeopardize the personal data of children. Earlier this year, the online mentoring platform UStrive also faced scrutiny for exposing the personal information of many young users.