WhiteHat Jr — an online coding platform for children — had left personal data of students and teachers exposed till mid-November through multiple bugs till these were fixed by the company, The Quint reported on November 24.
The responsible disclosures made by an independent security researcher to WhiteHat Jr stated that the Byju’s-owned company had left its backend server open thus exposing a variety of plaintext data, including student names, age, gender, images, user IDs, parents name, and progress reports to outsiders.
The security researcher who reported the vulnerability on November 19 told The Quint on condition of anonymity that he received an acknowledgment mail the next day and access to the company’s AWS servers have now been restricted by the WhiteHat Jr as of November 20.
“According to what I found out in October, the personal data of over 2.80 lakh students including names of their parents were lying exposed due to a vulnerability on the company’s server side,” he told The Quint.
The company’s updated statement on November 25 said, “WhiteHat Jr takes security and privacy issues very seriously. Based on information received from responsible disclosures, we reviewed our setup and worked to patch specific identified vulnerabilities within 24 hours.”
“We always strive to improve our customer experience and performance of the application, and to support this we use various industry-validated tools and software,” the response further stated.
Apart from the personally identifiable information (PII) of minors, the researcher said the servers had also left vulnerable information pertaining to teachers, parents of the students, as well as salary documents of the company, internal company documents and dozens of recorded videos of classes being conducted.
Separately, the company was also found to have been leaking personal data via its API where one user could view another’s data including transaction details. Santosh Patidar, the founder of a queue management app, posted the issue on LinkedIn and later updated that the bug had been fixed.
The security researcher said he found that WhiteHat Jr was using Amazon Web Service (AWS) servers and found its S3 buckets to have been left open, allowing access into a trove of folders containing documents, files, data and videos.
“Among the most serious security concern was personal information of thousands of children who had signed up onto the platform,” the researcher told The Quint, adding “this was among a large variety of other exposed data.”
Personally identifiable information or PII is any information that can identify and individual and is categorised as sensitive personal data by the Personal Data Protection Bill (PDP Bill) currently tabled in Parliament.
Responding to queries on data collection, WhiteHat Jr told The Quint, “We store basic customer information (name, contact information, projects and curriculum related info, pictures) with the required consent.” According to the company, “there are no other PII of our customers, employees, suppliers collected/ processed by WhiteHatJr on our applications.”
The researcher said that he got a response within a day after directly mailing WHJ’s chief technology officer on November 19-20 with identified vulnerabilities including a bug that allowed others to upload files onto the company’s servers.
“I got a response from the company’s CTO Pranab Dash on 21 November who acknowledged the vulnerabilities and informed me they had been taken care of,” he said.
Following the publication of this story by The Quint on November 24, a company spokesperson said in an updated statement, “We reiterate that no breach of data has happened in this context on company’s computer systems and networks, out of an abundance of caution we are continuing our investigation to ensure that this is the case.”
Source: The QuintCorporate, News