Edulog Parent Portal Products Improper Access Controls

Edulog’s Parent Portal and Parent Portal Lite services were affected by security-related issues regarding their authentication and access control implementations. These issues could have allowed a malicious actor to enumerate and access potentially sensitive information. This information includes, but is not limited to, data regarding students (most of whom are minors), their schools, parents, bus routes, GPS information, and proximity to given bus stops.

Normal operation of the frontend apps for these services (Parent Portal Lite and Parent Portal Plus) implies the requirement of a registration code specific to a given school or district in order to access the information described above. We discovered that while this requirement may be true for information viewed within the apps, almost all data behind these services can be directly queried with no more than a free account and the api keys included in the applications themselves.

Tenable researchers were able to register an account and access large amounts of potentially sensitive information without the need for any sort of verification or registration code. By proxying traffic from these apps, they were able to obtain the authorization token for this test user and begin querying api endpoints manually. Querying the api in this manner revealed that any existing access controls were limited to the client-side applications, and as such, allowed the researchers access to far more information than intended.

Some heavily censored examples of information retrieved can be seen below.

School Enumeration

Tenant Configuration

Student Bus Information