400,000 German Students Data Exposed By API Flaw
Security researcher Lilith Wittmann has discovered a bug in Scoolio app, a student community app widely used in Germany, that exposed the sensitive information of approx 400k students.
The exposed personal data includes:
- User nickname
- User and parent email addresses
- GPS location at which the app was last opened
- Name of school and class
- UUID details
- Personality traits (origin, religion, sexuality)
Wittman shared a fictitious sample of the types of data exposed by the flaw below.
While Scoolio states that 1.8 million people use their app, the researcher believes that the actual number is closer to 400,000 based on how user ids are created.
“We cannot say exactly how many students are affected. Because scoolio artificially inflates its user numbers by creating accounts without asking: As soon as you download the app and open it once, an empty profile with a UUID is generated – regardless of whether you actually want to create a user account,” explains the Zerforchung report.
Zerforchung states that they disclosed the flaw to Scoolio on September 21, 2021, but it took the software developer until October 25, 2021 to deploy a patch.