Topics
Latest
AI
Amazon
Image Credits:Marijan Mura / Getty Images
Apps
Biotech & Health
Climate
Image Credits:Marijan Mura / Getty Images
Cloud Computing
commercialism
Crypto
go-ahead
EVs
Fintech
Fundraising
gadget
stake
Government & Policy
computer hardware
Layoffs
Media & Entertainment
Meta
Microsoft
seclusion
Robotics
certificate
Social
Space
startup
TikTok
transport
speculation
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
Podcasts
TV
Partner Content
TechCrunch Brand Studio
Crunchboard
adjoin Us
A person claiming to be a student in Singapore publicly posted documentation showing lax security measure in a widely popular school roving equipment management service of process called Mobile Guardian , weeks before acyberattack on the companyresulted in the plenty - wiping of student equipment and widespread break .
In an email with TechCrunch , the student — who refuse to provide his name citing fear of effectual revenge — pronounce he report the bug to the Singaporean government by email in late May but could not be sure that the bug was ever desex . The Singaporean government severalise TechCrunch that the bug was fixed prior to Mobile Guardian ’s cyberattack on August 4 , but the educatee said that the bug was so gentle to find and trivial for an unsophisticated assailant to overwork , that he fear there are more vulnerabilities of alike exploitability .
The U.K.-based Mobile Guardian , which provides pupil gadget direction software in thousands of school day around the world , disclosed the breachon August 4 and close down its platform to block the malicious admission , but not before the intruder used their access code to remotely wipe thousands of student devices .
A day later , the student published contingent of the exposure he had antecedently sent to the Singaporean Ministry of Education , amajor customerof Mobile Guardian since 2020 .
In aReddit post , the student said the surety bug he find in Mobile Guardian grant any signed - in drug user “ super admin ” access code to the company ’s drug user management scheme . With that access , the pupil said , a malicious somebody could do action that are reserved for school administrators , include the ability to “ reset every person ’s personal learning equipment . ”
The student wrote that he reported the issue to the Singaporean education ministry on May 30 . Three workweek after , the ministry respond to the pupil saying the flaw is “ no longer a concern , ” but decline to share any further details with him , citing “ commercial sensitivity , ” according to the electronic mail seen by TechCrunch .
When reached by TechCrunch , the ministry confirmed it had received parole of the bug from the certificate research worker , and that “ the vulnerability had been clean up as part of an former security showing , and had already been patch up , ” as per representative Christopher Lee .
“ We also confirmed that the disclosed exploit was no longer workable after the patch . In June , an autonomous certified incursion tester conducted a further assessment , and no such vulnerability was detected , ” allege the spokesperson .
“ Nevertheless , we are mindful that cyber threats can evolve quickly and new vulnerabilities come upon , ” the spokesperson said , add that the ministry “ view such exposure disclosures seriously and will investigate them thoroughly . ”
Bug exploitable in anyone’s browser
The pupil described the hemipteron to TechCrunch as a customer - side privilege escalation exposure , which let anyone on the cyberspace to create a raw Mobile Guardian user account with an extremely gamey level of system memory access using only the tools in their web browser app . This was because Mobile Guardian ’s servers were allegedly not perform the right security checks and trusting responses from the substance abuser ’s web browser .
The microbe stand for that the waiter could be tricked into live with the higher level of system access for a drug user ’s account by modify the mesh dealings in the web internet browser .
TechCrunch was leave a video — recorded on May 30 , the Clarence Day of revealing — demonstrating how the hemipteron work . The video read the user creating a “ super admin ” account using only the browser app ’s in - build tool to modify the connection dealings containing the substance abuser ’s persona to elevate that account ’s access from “ admin ” to “ ace admin . ”
The video showed the server accepting the modified meshing petition , and when lumber in as that newly produce “ super admin ” user account , granted access to a fascia displaying lists of Mobile Guardian enrolled schools .
Mobile Guardian CEO Patrick Lawson did not respond to multiple request for comment prior to publishing , admit questions about the student ’s vulnerability report and whether the company deposit the bug .
After we contacted Lawson , the company updated its financial statement as follows : “ Internal and third company investigations into previous vulnerabilities of the Mobile Guardian Platform are support to have been resolved and no longer pose a danger . ” The statement did not say when the previous flaw were resolved nor did the statement explicitly rule out a link between the previous flaw and its August cyberattack .
This isthe 2d security incidentto beset Mobile Guardian this twelvemonth . In April , the Singaporean education ministry confirmed the company ’s management portal had been hacked and the personal selective information of parents and schoolhouse stave from hundreds of school across Singapore compromise . The ministryattributed the breachto Mobile Guardian ’s lax password insurance policy , rather than a vulnerability in its systems .
Do you know more about the Mobile Guardian cyberattack ? Are you affect ? Get in touch . you could touch this newsman on Signal and WhatsApp at +1 646 - 755 - 8849 , orby e-mail . you may send files and documents viaSecureDrop .
