Security

Student Warned of Security Flaws in Mobile Guardian Weeks Before Cyberattack

10 August 2024

|

Zaker Adham

Summary

A student in Singapore recently highlighted security vulnerabilities in Mobile Guardian, a popular school mobile device management service, weeks before a cyberattack caused widespread disruption by wiping student devices.

 

In an email to TechCrunch, the student, who wished to remain anonymous due to fear of legal repercussions, reported the bug to the Singaporean government in late May. Although the government claimed the bug was fixed before the August 4 cyberattack, the student expressed concerns about the ease of exploiting such vulnerabilities.

 

Mobile Guardian, a UK-based company serving thousands of schools globally, disclosed the breach on August 4 and shut down its platform to prevent further malicious access. However, the attacker had already wiped thousands of student devices.

 

The day after the breach, the student published details of the vulnerability, which he had previously reported to the Singaporean Ministry of Education, a major client of Mobile Guardian since 2020.

 

In a Reddit post, the student explained that the security flaw allowed any signed-in user to gain "super admin" access to Mobile Guardian's user management system. This access enabled malicious actions typically reserved for school administrators, such as resetting personal learning devices.

 

The student initially reported the issue to the Singaporean education ministry on May 30. Three weeks later, the ministry responded, stating the flaw was "no longer a concern" but did not provide further details due to "commercial sensitivity."

 

When contacted by TechCrunch, the ministry confirmed it had received the bug report and that the vulnerability had been patched during an earlier security screening. An independent penetration tester later confirmed the exploit was no longer viable.

 

Despite these assurances, the ministry acknowledged the evolving nature of cyber threats and emphasized the importance of thoroughly investigating vulnerability disclosures.

 

Bug Exploitable in Any Browser

The student described the bug as a client-side privilege escalation vulnerability, allowing anyone to create a new Mobile Guardian user account with high system access using only web browser tools. This was due to Mobile Guardian's servers not performing proper security checks and trusting browser responses.

 

A video provided to TechCrunch, recorded on May 30, demonstrated the bug's functionality. The video showed the creation of a "super admin" account by modifying network traffic in the browser, which the server accepted, granting access to a dashboard of Mobile Guardian-enrolled schools.

 

Mobile Guardian CEO Patrick Lawson did not respond to multiple requests for comment before publication. After being contacted, the company updated its statement, confirming that previous vulnerabilities had been resolved and no longer posed a risk. However, the statement did not specify when the flaws were fixed or rule out a connection to the August cyberattack.

 

This incident marks the second security breach for Mobile Guardian this year. In April, the Singaporean education ministry confirmed a hack of the company's management portal, compromising personal information of parents and school staff from hundreds of schools. The breach was attributed to Mobile Guardian's lax password policy rather than a system vulnerability.

 

If you have more information about the Mobile Guardian cyberattack or are affected, please get in touch. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849, or by email. Files and documents can be sent via SecureDrop.