A person claiming to be a student in Singapore publicly posted documentation showing lax security in a widely popular school mobile device management service called Mobile Guardian, weeks before a cyberattack on the company resulted in the mass-wiping of student devices and widespread disruption.
In an email with TechCrunch, the student — who declined to provide his name citing fear of legal retaliation — said he reported the bug to the Singaporean government by email in late May but could not be sure that the bug was ever fixed. The Singaporean government told TechCrunch that the bug was fixed prior to Mobile Guardian’s cyberattack on August 4, but the student said that the bug was so easy to find and trivial for an unsophisticated attacker to exploit, that he fears there are more vulnerabilities of similar exploitability.
The U.K.-based Mobile Guardian, which provides student device management software in thousands of schools around the world, disclosed the breach on August 4 and shut down its platform to block the malicious access, but not before the intruder used their access to remotely wipe thousands of student devices.
A day later, the student published details of the vulnerability he had previously sent to the Singaporean Ministry of Education, a major customer of Mobile Guardian since 2020.
In a Reddit post, the student said the security bug he found in Mobile Guardian granted any signed-in user “super admin” access to the company’s user management system. With that access, the student said, a malicious person could perform actions that are reserved for school administrators, including the ability to “reset every person’s personal learning device,” he said.
The student wrote that he reported the issue to the Singaporean education ministry on May 30. Three weeks later, the ministry responded to the student saying the flaw is “no longer a concern,” but declined to share any further details with him, citing “commercial sensitivity,” according to the email seen by TechCrunch.
When reached by TechCrunch, the ministry confirmed it had received word of the bug from the security researcher, and that “the vulnerability had been picked up as part of an earlier security screening, and had already been patched,” as per spokesperson Christopher Lee.
“We also confirmed that the disclosed exploit was no longer workable after the patch. In June, an independent certified penetration tester conducted a further assessment, and no such vulnerability was detected,” said the spokesperson.
“Nevertheless, we are mindful that cyber threats can evolve quickly and new vulnerabilities discovered,” the spokesperson said, adding that the ministry “regards such vulnerability disclosures seriously and will investigate them thoroughly.”
Bug exploitable in anyone’s browser
The student described the bug to TechCrunch as a client-side privilege escalation vulnerability, which allowed anyone on the internet to create a new Mobile Guardian user account with an extremely high level of system access using only the tools in their web browser. This was because Mobile Guardian’s servers were allegedly not performing the proper security checks and trusting responses from the user’s browser.
The bug meant that the server could be tricked into accepting the higher level of system access for a user’s account by modifying the network traffic in the browser.
TechCrunch was provided a video — recorded on May 30, the day of disclosure — demonstrating how the bug works. The video shows the user creating a “super admin” account using only the browser’s in-built tools to modify the network traffic containing the user’s role to elevate that account’s access from “admin” to “super admin.”
The video showed the server accepting the modified network request, and when logged in as that newly created “super admin” user account, granted access to a dashboard displaying lists of Mobile Guardian enrolled schools.
Mobile Guardian CEO Patrick Lawson did not respond to multiple requests for comment prior to publication, including questions about the student’s vulnerability report and whether the company fixed the bug.
After we contacted Lawson, the company updated its statement as follows: “Internal and third party investigations into previous vulnerabilities of the Mobile Guardian Platform are confirmed to have been resolved and no longer pose a risk.” The statement did not say when the previous flaws were resolved nor did the statement explicitly rule out a link between the previous flaws and its August cyberattack.
This is the second security incident to beset Mobile Guardian this year. In April, the Singaporean education ministry confirmed the company’s management portal had been hacked and the personal information of parents and school staff from hundreds of schools across Singapore compromised. The ministry attributed the breach to Mobile Guardian’s lax password policy, rather than a vulnerability in its systems.
Do you know more about the Mobile Guardian cyberattack? Are you affected? Get in touch. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849, or by email. You can send files and documents via SecureDrop.