Online coding platform for children Whitehat Jr has said it made fixes to its setup after identifying vulnerabilities in it. This comes after the firm received responsible disclosures made about possible security vulnerabilities.
A security researcher who identified this bug told The Quint that multiple responsible disclosures were made to the company on the issue. The researcher did not wish to be named.
The researcher also confirmed to The Quint that shortly after reporting vulnerabilities on November 19, he received an acknowledgment email the next day. Access to WhiteHat Jr's AWS services has now been restricted as of November 20, the report said.
"According to what I found out, the personal data of over 2.8 lakh students including names of their parents were lying exposed due to a vulnerability on the company's server-side," the researcher told The Quint.
According to a statement issued by Whitehat Jr, it clarified that security and privacy issues are taken very seriously. "We store basic customer information (name, contact information, projects, and curriculum-related info, pictures) with the required consent. There are no other PII of our customers, employees, suppliers collected/ processed by WhiteHatJr on our applications," it said.
It also added that based on the information received from responsible disclosures made to WhiteHatJr about possible security vulnerabilities, it reviewed the setup and patched the identified vulnerabilities. The fixes were applied immediately to the identification and detection of vulnerabilities in its applications and servers.
"Based on information received from responsible disclosures, we reviewed our setup and worked to patch specific identified vulnerabilities within 24 hours. We reiterate that no breach of data has happened in this context on the company's computer systems and networks, out of an abundance of caution we are continuing our investigation to ensure that this is the case," it said.
The responsible disclosures also showed that it had left its backend server open. This allowed for access to a variety of different kinds of plaintext data like the names of students, how old they were, their gender, images, user IDs, parents' name, and progress reports to outsiders.
Besides the personally identifiable information of minors, the servers had also exposed information pertaining to teachers as well as parents of the students, the researcher said.
This also included salary documents of the company, internal company documents, and dozens of recorded videos of classes that were being conducted on the platform.
Separately, it was also noted that personal data from WhiteHat Jr was being leaked via its API where one user could view another’s data including transaction details.
How was this made accessible?
According to the security researcher's findings, WhiteHat Jr was using Amazon Web Service (AWS) servers. It was found that its S3 buckets have been left open, allowing access to a trove of folders containing documents, files, data, and videos.