Public report of potential Mobile Guardian vulnerability has been “already patched”: MOE

SINGAPORE – The Ministry of Education (MOE) said on August 9 that it had investigated a report submitted by a member of the public about a potential security flaw in the Mobile Guardian app.

The Ministry of Education immediately investigated the May 30 report.

“We can confirm that on May 30, a private individual reported a potential security vulnerability in the Mobile Guardian application to the Ministry of Education,” the ministry said.

“We immediately investigated the report and discovered that the vulnerability had been discovered during a previous security review and had already been patched,” it added.

MOE confirmed that the disclosed exploit was no longer useful after the patch. An exploit is a program or piece of code designed to take advantage of a security flaw in a software application or computer system.

The ministry responded to earlier questions from The Straits Times about a Reddit post by user Hopeful_Chocolate080 on Aug 6, in which he said he had notified the ministry of an “impending cyberattack” on the Mobile Guardian app.

Mobile Guardian is a device management app that helps parents control their children’s device usage by limiting screen time and access to specific websites and apps.

The user stated in the post that he had sent multiple emails to MOE and Mobile Guardian informing them about the security flaws he had discovered in the app.

When ST contacted the user, he sent transcripts of his email correspondence with both Mobile Guardian and MOE, including information about “improper access controls” that the user claimed allowed “all data on Mobile Guardian systems to be read and modified.”

Demonstrating the vulnerability, the user posted instructions on how to access the Mobile Guardian admin portal.

The user reported that the Ministry of Energy responded six days later, saying it would “re-evaluate its cybersecurity posture,” and 19 days later the ministry confirmed that it had “reviewed the vulnerability report and confirmed that it was no longer a concern.”

The Reddit post comes a day after the ministry released a statement on Aug. 5 about the cyberattack, which included unauthorized access to its platform and affected customers worldwide. It affected about 13,000 students from 26 high schools.

On Aug. 5, MOE said some schools notified them late on Aug. 4 that students with iPads or Chromebooks had lost access to apps and data. Affected students had all their apps remotely wiped, and some had lost years of notes.

The Energy Ministry said on August 9 that an independent certified penetration tester conducted a further assessment in June based on a report submitted by a member of the public.

The ministry added that no such vulnerability had been detected.

“We have informed the member of the public about this and thanked him for his feedback,” the MOE said.

“Nevertheless, we are aware that cyber threats can evolve rapidly and new vulnerabilities may be discovered,” the ministry said in a statement.

“MOE takes such disclosures of security vulnerabilities seriously and will investigate them thoroughly.”

Individuals can report any concerns about IT service vulnerabilities on the GovTech Vulnerability Disclosure portal.