Student raised security concerns about Mobile Guardian MDM weeks before cyberattack

An individual posing as a student in Singapore publicly posted documentation showing weak security at a wildly popular school mobile device management service called Mobile Guardian, weeks before a cyberattack on the corporate led to a mass wipe of student devices and major disruptions to its operations.

In an email to TechCrunch, the coed — who declined to offer his last name, citing fear of legal retaliation — said he reported the bug to the Singapore government via email in late May, but couldn’t make certain if the bug was ever fixed. The Singapore government told TechCrunch that the bug had been fixed before the Mobile Guardian cyberattack on Aug. 4, but the coed said the bug was really easy to search out and exploit by an inexperienced attacker that he fears there are more vulnerabilities with similar exploitability.

Mobile Guardian, a U.K.-based company that gives software to administer student devices in hundreds of faculties worldwide, disclosed the breach on Aug. 4 and shut down its platform to dam malicious access, but before it could discover the intruder had used his access to remotely wipe hundreds of scholars’ devices.

A day later, the coed published details of the vulnerability that he had previously sent to the Singapore Ministry of Education, primary customer Mobile Guardian from 2020.

IN Reddit poststudent said a security bug he present in Mobile Guardian granted any logged-in user “super admin” access to the corporate’s user management system. With that access, the coed said, a malicious actor could perform actions reserved for college administrators, including the power to “reset anyone’s personal learning device,” he said.

The student wrote that he reported the problem to Singapore’s Ministry of Education on May 30. Three weeks later, the ministry responded to the coed saying the flaw was “no longer an issue” but declined to offer him with further details, citing “commercial sensitivity,” in line with an email seen by TechCrunch.

When contacted by TechCrunch, the ministry confirmed that it had received information about the bug from a security researcher and that “the vulnerability was discovered during a previous security review and has already been patched,” spokesman Christopher Lee said.

“We also confirmed that the disclosed exploit was no longer usable after the patch was installed. In June, an independent certified penetration tester conducted further evaluation and did not detect any such vulnerability,” the spokesperson said.

“Nevertheless, we are aware that cyber threats can evolve rapidly and uncover new vulnerabilities,” the spokesperson said, adding that the ministry “takes such disclosures of vulnerabilities seriously and will investigate them thoroughly.”

The bug might be exploited in any browser

The student described the bug to TechCrunch as a client-side privilege escalation vulnerability that allowed anyone on the web to create a brand new Mobile Guardian user account with extremely high levels of system access, using only web browser tools. This happened because Mobile Guardian servers allegedly didn’t perform proper security checks and didn’t trust responses from a user’s browser.

The bug was that the server might be tricked into accepting the next level of system access for a user account by modifying network traffic within the browser.

TechCrunch obtained a video — recorded on May 30, the day it was disclosed — showing how the bug works. The video shows a user making a “super admin” account using only the browser’s built-in tools to switch web traffic containing the user role to raise that account’s access from “admin” to “super admin.”

The recording shows the server accepting the modified network request and, after logging in with the newly created “super administrator” user account, getting access to a dashboard displaying the lists of faculties signed up for Mobile Guardian.

Mobile Guardian CEO Patrick Lawson didn’t reply to multiple requests for comment before publication, including questions about the coed vulnerability report and whether the corporate had fixed the bug.

After we reached out to Lawson, the corporate updated its statement to read: “Internal and external investigations into previous vulnerabilities in the Mobile Guardian platform have been confirmed and no longer pose a threat.” The statement didn’t specify when the previous vulnerabilities were resolved, nor did it specifically rule out a connection between the previous vulnerabilities and the August cyberattack.

This is second security incident this 12 months to harass Mobile Guardian. In April, Singapore’s education ministry confirmed that the corporate’s management portal had been hacked and that the non-public information of fogeys and college staff from tons of of faculties across Singapore had been compromised. The ministry a violation was assigned This was as a result of Mobile Guardian’s lax password policy moderately than a security flaw in its systems.