A recent security issue has been identified and resolved on the Ravenna Hub, a platform used by families for school admissions. This vulnerability had allowed unauthorized access to sensitive personal information of children.
The Ravenna Hub enables parents to apply and monitor their children's application statuses across numerous educational institutions. However, due to a flaw, any logged-in user could view the personal data of other users, including details about their children.
Compromised information included children's names, birth dates, home addresses, photographs, and school details. Additionally, parents' email addresses, phone numbers, and information about siblings were also exposed.
VentureEd Solutions, the Florida-based company responsible for developing and maintaining Ravenna Hub, claims to serve over a million students and processes hundreds of thousands of applications annually.
TechCrunch discovered this vulnerability and promptly notified the company, which addressed the issue on the same day. The CEO of VentureEd Solutions, Nick Laird, confirmed via email that the company successfully replicated the problem and has taken corrective measures.
While Laird mentioned that an investigation into the incident is ongoing, he did not commit to informing users about the breach or clarify whether the company can verify if any unauthorized access to data occurred. Furthermore, inquiries regarding third-party security assessments were left unanswered.
The identified vulnerability, known as an insecure direct object reference (IDOR), is a common security flaw that enables users to access stored information due to inadequate security measures on the server. This specific issue allowed users to access another student's application by simply modifying the unique identifier linked to a student's profile in the web browser's address bar.
In the case of Ravenna Hub, student identifiers are sequential, meaning that users could easily access another student's information by altering the profile number by a few digits.
Upon creating a test account, TechCrunch found that the URL contained a seven-digit number, indicating that there were over 1.63 million records potentially accessible to any user.
This incident highlights ongoing security challenges related to personal data protection for children. In January, another online platform, UStrive, faced a similar issue, exposing personal information of its users, many of whom were minors.