Edulog Parent Portal Products Improper Access Controls
CriticalSynopsis
Edulog’s Parent Portal and Parent Portal Lite services were affected by security-related issues regarding their authentication and access control implementations. These issues could have allowed a malicious actor to enumerate and access potentially sensitive information. This information includes, but is not limited to, data regarding students (most of whom are minors), their schools, parents, bus routes, GPS information, and proximity to given bus stops.
Normal operation of the frontend apps for these services (Parent Portal Lite and Parent Portal Plus) implies the requirement of a registration code specific to a given school or district in order to access the information described above. We discovered that while this requirement may be true for information viewed within the apps, almost all data behind these services can be directly queried with no more than a free account and the api keys included in the applications themselves.
Tenable researchers were able to register an account and access large amounts of potentially sensitive information without the need for any sort of verification or registration code. By proxying traffic from these apps, they were able to obtain the authorization token for this test user and begin querying api endpoints manually. Querying the api in this manner revealed that any existing access controls were limited to the client-side applications, and as such, allowed the researchers access to far more information than intended.
Some heavily censored examples of information retrieved can be seen below.
School Enumeration
Tenant Configuration
Student Bus Information
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Risk Information
Jimi Sebree
Parent Portal Suite
Critical