From the archive #1: Kindergarten leaking data

This one my of my regrets. This is one of those cases I should have told the world about. But now it's such a long time ago that naming anyone won't do any good.

Published: Mon, November 27, 2017, 07:45
Security Monday
Information leak
OWASP 2013 A7

tl;dr 🔗

An online kindergarten service used by a lot of kindergartens was leaking a lot of data about all of the kids and their parents.

Summary 🔗

Who: It's too long ago, so I won't tell
Severity level: High
Reported: 2013
Reception and handling: Very good
Status: Fixed
Reward: iPad mini with engraved thank you
Issue: Information leak with data about kids and parents

Background 🔗

Early 2013 they started using an online system in my kid's kindergarten. The system contained personal info about kids as well as parents and was used for pictures and messages.

I really liked the system. It was very easy to do stuff like notifying if your kid was home sick, to see pictures of everyday life or to see if the sleep schedule was followed as it should. It also seemed pretty user friendly for the staff who had an iPad where they could easily click and register when a child was delivered in the morning and do all other communication with the parents. It was supposed to replace all post-it notes and paperwork.

When we were told about the system and got logins for it we also got a brochure telling "All data in <the system> is handled with a very high degree of security". Of course, a statement like that works pretty much as a cue for me to look into the security of the system.

Approach (technical stuff) 🔗

It's hard to recall all the details years afterwards and this was before I kept any notes about my findings, so the technical description isn't very long or deep. I started out as I normally do; I was using the site while having the browser development tools open. In general stuff looked pretty good. There seemed to be proper encryption, authentication and authorization all over the place. But one of the challenges with web application security is that authorization is off by default and you have to actively add it and implement it correctly.

Even if the authorization seems okay, there is almost always this one place or function where it's forgotten about. Often it's that one functionality that was added later or that one that no one uses that much. The kindergarten system had a function for exporting all the data they had stored about your child. It was some sort of background job that ran asynchronously and was kickstarted by some URL. The URL contained an incremental integer ID named childId. The scope of the ID was the entire kindergarten (though the online system was running many, many kindergartens).

As you might have guessed, one could just change the ID and you started the background job for another child in the same kindergarten. When the job was done you got a downloadable ZIP file will all of the contents.

Security issue 🔗

Screenshot from security issue.Screenshot from security issue.The URL for creating a downloadable archive with all of the contents belonging to the child didn't have an authorization check. It was possible to systematically download all contents for all children within the same kindergarten.

This is the data that was available:

  • Full name of the child
  • Birthday of the child
  • Address of the child
  • Full name of the parents
  • Phone numbers of the parents
  • E-mail address of the parents
  • General practitioner (GP) of the child
  • Info about the child following the govnerment vaccination program or not
  • Potenial other health information like allergies
  • The child's sleep needs
  • Pictures of the child
  • Pictures of other children in the same kindergarten department
  • Messages sent between parents and kindergarten

Reception and handling 🔗

Day zero 🔗

Pretty late at night I sent an e-mail to both the manager of our kindergarten and the CEO of the whole kindergarten system.

Just 30 minutes later that night I got a reply from the CEO thanking for the report and saying that they would look into it immediately.

Day 1 🔗

Early at night I got a new longer reply from the CEO. They had already closed the issue for all customers. While this was a classical programming error, the description of the system structure, storage and access control was pretty satisfying. And supposedly the kindergartens are not allowed to store any information that is regarded as sensitive (as defined by law), though I assume all parents feel that all that data about their child is pretty sensitive.

A couple of hours later I also got a reply from the manager of the kindergarten. It was a bit more "light" than what I would have wished for, with no critical voicing towards the vendor of the system, but he thanked me and said he was sorry for the incident.

Day 15 🔗

Out of the blue the CEO sent me an e-mail asking if he had found the correct address on me as they wanted to send me a little something.

I have to admit that receiving an iPad mini and their general tone through the process probably was enough to hold me back from telling the media back then.

Another kindergarten system with vulnerabilities 🔗

After I started this blog I noticed a tweet about a talk about vulnerabilities in an online kindergarten system. It's a great talk given by Halvor Sakshaug at NDC Oslo earlier this year.

From the screenshots I could see that this is a completely different kindergarten service than the one I used. So this means even more kids' security and information was vulnerable.

Conclusion 🔗

This issue has always been bothering me a bit. It was pretty serious, but I didn't disclose it publicly. It's one of many examples of serious issues that has absolutely no consequences for the company doing the harm and the users jeopardized are never informed about it.

With this issue as a backdrop it was one of the reasons I decided to start disclose security issues on my blog. People need to know that all their personal data is in the hands of anyone who wants it.

And with the mentioned other kindergarten system with vulnerabilities, and the security issues in the smart watch for kids that I discovered late this summer, I really feel even more that we need more disclosure and give more attention to IT security.

Get notified when there are new posts! :-)