This one my of my regrets. This is one of those cases I should have told the world about. But now it's such a long time ago that naming anyone won't do any good.
|Published:||Mon, November 27, 2017, 07:45|
OWASP 2013 A7
An online kindergarten service used by a lot of kindergartens was leaking a lot of data about all of the kids and their parents.
|Who:||It's too long ago, so I won't tell|
|Reception and handling:||Very good|
|Reward:||iPad mini with engraved thank you|
|Issue:||Information leak with data about kids and parents|
Early 2013 they started using an online system in my kid's kindergarten. The system contained personal info about kids as well as parents and was used for pictures and messages.
I really liked the system. It was very easy to do stuff like notifying if your kid was home sick, to see pictures of everyday life or to see if the sleep schedule was followed as it should. It also seemed pretty user friendly for the staff who had an iPad where they could easily click and register when a child was delivered in the morning and do all other communication with the parents. It was supposed to replace all post-it notes and paperwork.
When we were told about the system and got logins for it we also got a brochure telling "All data in <the system> is handled with a very high degree of security". Of course, a statement like that works pretty much as a cue for me to look into the security of the system.
It's hard to recall all the details years afterwards and this was before I kept any notes about my findings, so the technical description isn't very long or deep. I started out as I normally do; I was using the site while having the browser development tools open. In general stuff looked pretty good. There seemed to be proper encryption, authentication and authorization all over the place. But one of the challenges with web application security is that authorization is off by default and you have to actively add it and implement it correctly.
Even if the authorization seems okay, there is almost always this one place or function where it's forgotten about. Often it's that one functionality that was added later or that one that no one uses that much. The kindergarten system had a function for exporting all the data they had stored about your child. It was some sort of background job that ran asynchronously and was kickstarted by some URL. The URL contained an incremental integer ID named childId. The scope of the ID was the entire kindergarten (though the online system was running many, many kindergartens).
As you might have guessed, one could just change the ID and you started the background job for another child in the same kindergarten. When the job was done you got a downloadable ZIP file will all of the contents.
The URL for creating a downloadable archive with all of the contents belonging to the child didn't have an authorization check. It was possible to systematically download all contents for all children within the same kindergarten.
This is the data that was available:
Pretty late at night I sent an e-mail to both the manager of our kindergarten and the CEO of the whole kindergarten system.
Just 30 minutes later that night I got a reply from the CEO thanking for the report and saying that they would look into it immediately.
Early at night I got a new longer reply from the CEO. They had already closed the issue for all customers. While this was a classical programming error, the description of the system structure, storage and access control was pretty satisfying. And supposedly the kindergartens are not allowed to store any information that is regarded as sensitive (as defined by law), though I assume all parents feel that all that data about their child is pretty sensitive.
A couple of hours later I also got a reply from the manager of the kindergarten. It was a bit more "light" than what I would have wished for, with no critical voicing towards the vendor of the system, but he thanked me and said he was sorry for the incident.
Out of the blue the CEO sent me an e-mail asking if he had found the correct address on me as they wanted to send me a little something.
I have to admit that receiving an iPad mini and their general tone through the process probably was enough to hold me back from telling the media back then.
After I started this blog I noticed a tweet about a talk about vulnerabilities in an online kindergarten system. It's a great talk given by Halvor Sakshaug at NDC Oslo earlier this year.
From the screenshots I could see that this is a completely different kindergarten service than the one I used. So this means even more kids' security and information was vulnerable.
This issue has always been bothering me a bit. It was pretty serious, but I didn't disclose it publicly. It's one of many examples of serious issues that has absolutely no consequences for the company doing the harm and the users jeopardized are never informed about it.
With this issue as a backdrop it was one of the reasons I decided to start disclose security issues on my blog. People need to know that all their personal data is in the hands of anyone who wants it.
And with the mentioned other kindergarten system with vulnerabilities, and the security issues in the smart watch for kids that I discovered late this summer, I really feel even more that we need more disclosure and give more attention to IT security.