Student raised security concerns in Mobile Guardian MDM weeks before cyberattack
Reading Time: 2 minutesA person claiming to be a student in Singapore publicly posted documentation showing lax security in a widely popular school mobile device management service called Mobile Guardian, weeks before a cyberattack on the company resulted in the mass-wiping of student devices and widespread disruption.
The U.K.-based Mobile Guardian, which provides student device management software in thousands of schools around the world, disclosed the breach on August 4 and shut down its platform to block the malicious access, but not before the intruder used their access to remotely wipe thousands of student devices.
A day later, the student published details of the vulnerability he had previously sent to the Singaporean Ministry of Education, a major customer of Mobile Guardian since 2020.
In a Reddit post, the student said the security bug he found in Mobile Guardian granted any signed-in user ‘super admin’ access to the company’s user management system. With that access, the student said, a malicious person could perform actions that are reserved for school administrators, including the ability to ‘reset every person’s personal learning device,’ he said.
‘We also confirmed that the disclosed exploit was no longer workable after the patch. In June, an independent certified penetration tester conducted a further assessment, and no such vulnerability was detected,’ said the spokesperson.
‘Nevertheless, we are mindful that cyber threats can evolve quickly and new vulnerabilities discovered,’ the spokesperson said, adding that the ministry ‘regards such vulnerability disclosures seriously and will investigate them thoroughly.’
Bug exploitable in anyone’s browser
The bug meant that the server could be tricked into accepting the higher level of system access for a user’s account by modifying the network traffic in the browser.
The video showed the server accepting the modified network request, and when logged in as that newly created ‘super admin’ user account, granted access to a dashboard displaying lists of Mobile Guardian enrolled schools.
Mobile Guardian CEO Patrick Lawson did not respond to multiple requests for comment prior to publication, including questions about the student’s vulnerability report and whether the company fixed the bug.
After we contacted Lawson, the company updated its statement as follows: ‘Internal and third party investigations into previous vulnerabilities of the Mobile Guardian Platform are confirmed to have been resolved and no longer pose a risk.’ The statement did not say when the previous flaws were resolved nor did the statement explicitly rule out a link between the previous flaws and its August cyberattack.
This is the second security incident to beset Mobile Guardian this year. In April, the Singaporean education ministry confirmed the company’s management portal had been hacked and the personal information of parents and school staff from hundreds of schools across Singapore compromised. The ministry attributed the breach to Mobile Guardian’s lax password policy, rather than a vulnerability in its systems.
Do you know more about the Mobile Guardian cyberattack? Are you affected? Get in touch. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849, or by email. You can send files and documents via SecureDrop.
Ref: techcrunch
MediaDownloader.net -> Free Online Video Downloader, Download Any Video From YouTube, VK, Vimeo, Twitter, Twitch, Tumblr, Tiktok, Telegram, TED, Streamable, Soundcloud, Snapchat, Share, Rumble, Reddit, PuhuTV, Pinterest, Periscope, Ok.ru, MxTakatak, Mixcloud, Mashable, LinkedIn, Likee, Kwai, Izlesene, Instagram, Imgur, IMDB, Ifunny, Gaana, Flickr, Febspot, Facebook, ESPN, Douyin, Dailymotion, Buzzfeed, BluTV, Blogger, Bitchute, Bilibili, Bandcamp, Akıllı, 9GAG