close
close

Student raised security concerns about Mobile Guardian MDM weeks before cyberattack

Posted on by darion

A person posing as a student in Singapore publicly posted documentation showing weak security at a wildly popular school mobile device management service called Mobile Guardian, weeks before a cyberattack on the company led to a mass wipe of student devices and major disruptions to its operations.

In an email to TechCrunch, the student — who declined to provide his last name, citing fear of legal retaliation — said he reported the bug to the Singapore government via email in late May, but couldn’t be sure if the bug was ever fixed. The Singapore government told TechCrunch that the bug had been fixed before the Mobile Guardian cyberattack on Aug. 4, but the student said the bug was so easy to find and exploit by an inexperienced attacker that he fears there are more vulnerabilities with similar exploitability.

Mobile Guardian, a U.K.-based company that provides software to manage student devices in thousands of schools worldwide, disclosed the breach on Aug. 4 and shut down its platform to block malicious access, but before it could discover the intruder had used his access to remotely wipe thousands of students’ devices.

A day later, the student published details of the security flaw he had previously sent to the Singaporean Ministry of Education, Mobile Guardian’s main client since 2020.

In a Reddit post, the student said a security bug he found in Mobile Guardian granted any logged-in user “super admin” access to the company’s user management system. With that access, the student said, a malicious actor could perform actions reserved for school administrators, including the ability to “reset anyone’s personal learning device,” he said.

The student wrote that he reported the issue to the Singaporean Ministry of Education on May 30. Three weeks later, the ministry responded to the student that the flaw was “no longer an issue” but declined to provide him with further details, citing “commercial sensitivity,” according to an email seen by TechCrunch.

When contacted by TechCrunch, the ministry confirmed that it had received information about the bug from a security researcher and that “the vulnerability was discovered during a previous security review and has already been patched,” spokesman Christopher Lee said.

“We also confirmed that the disclosed exploit was no longer usable after the patch was installed. In June, an independent certified penetration tester conducted further evaluation and did not detect any such vulnerability,” the spokesperson said.

“Nevertheless, we are aware that cyber threats can evolve rapidly and uncover new vulnerabilities,” the spokesperson said, adding that the ministry “takes such disclosures of vulnerabilities seriously and will investigate them thoroughly.”

The bug can be exploited in any browser

The student described the bug to TechCrunch as a client-side privilege escalation vulnerability that allowed anyone on the internet to create a new Mobile Guardian user account with extremely high levels of system access, using only web browser tools. This happened because Mobile Guardian servers allegedly did not perform proper security checks and did not trust responses from a user’s browser.

The bug was that the server could be tricked into accepting a higher level of system access for a user account by modifying network traffic in the browser.

TechCrunch obtained a video — recorded on May 30, the day it was disclosed — showing how the bug works. The video shows a user creating a “super admin” account using only the browser’s built-in tools to modify web traffic containing the user role to elevate that account’s access from “admin” to “super admin.”

The recording shows the server accepting the modified network request and, after logging in with the newly created “super administrator” user account, gaining access to a dashboard displaying a list of schools signed up for Mobile Guardian.

Mobile Guardian CEO Patrick Lawson did not respond to multiple requests for comment before publication, including questions about the student vulnerability report and whether the company had fixed the bug.

After we reached out to Lawson, the company updated its statement to read: “Internal and external investigations into previous vulnerabilities in the Mobile Guardian platform have been confirmed and no longer pose a threat.” The statement did not specify when the previous vulnerabilities were resolved, nor did it specifically rule out a connection between the previous vulnerabilities and the August cyberattack.

This is the second security incident to hit Mobile Guardian this year. In April, Singapore’s education ministry confirmed that the company’s management portal had been hacked and that personal information of parents and school staff from hundreds of schools in Singapore had been compromised. The ministry attributed the breach to Mobile Guardian’s lax password policy, not a security flaw in its systems.

Do you know more about the Mobile Guardian cyberattack? Are you affected? Contact us. You can reach this reporter on Signal and WhatsApp at +1 646-755-8849 or by email. You can send files and documents via SecureDrop.