Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Edulog Parent Portal Products Improper Access Controls

Critical

Synopsis

Edulog’s Parent Portal and Parent Portal Lite services were affected by security-related issues regarding their authentication and access control implementations. These issues could have allowed a malicious actor to enumerate and access potentially sensitive information. This information includes, but is not limited to, data regarding students (most of whom are minors), their schools, parents, bus routes, GPS information, and proximity to given bus stops.

 

Normal operation of the frontend apps for these services (Parent Portal Lite and Parent Portal Plus) implies the requirement of a registration code specific to a given school or district in order to access the information described above. We discovered that while this requirement may be true for information viewed within the apps, almost all data behind these services can be directly queried with no more than a free account and the api keys included in the applications themselves.

 

Tenable researchers were able to register an account and access large amounts of potentially sensitive information without the need for any sort of verification or registration code. By proxying traffic from these apps, they were able to obtain the authorization token for this test user and begin querying api endpoints manually. Querying the api in this manner revealed that any existing access controls were limited to the client-side applications, and as such, allowed the researchers access to far more information than intended.

 

Some heavily censored examples of information retrieved can be seen below.

 

School Enumeration

 

Tenant Configuration

 

Student Bus Information

Solution

Edulog has stated that these issues have been resolved. As these are cloud-based services, no action is necessary for end users.

Disclosure Timeline

September 5, 2023 - Tenable attempts to obtain security contact through sales and support emails.
September 12, 2023 - Tenable makes second attempt to obtain security contact.
September 12, 2023 - Vendor provides security contact.
September 13, 2023 - Tenable discloses issues to vendor. Vendor acknowledges.
October 3, 2023 - Tenable requests status update. Vendor provides status update.
October 27, 2023 - Tenable requests status update. Vendor states status update will be sent by November 15.
November 13, 2023 - Vendor provides status update. Tenable acknowledges.
November 27, 2023 - Tenable sends advisory draft and other disclosure resources to vendor.
November 30, 2023 - Vendor states that issues are considered fixed.
December 8, 2023 - Vendor asks if any further information is needed. Tenable again requests disclosure plans.
December 11, 2023 - Vendor states that they will not be posting an advisory of their own.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2023-41
Credit:
Jimi Sebree
Affected Products:
Parent Portal Suite
Risk Factor:
Critical

Advisory Timeline

December 13, 2023 - Initial release.