A recent revelation has brought to light a significant Security Flaw vulnerability in Mobile Guardian, a prominent mobile device management service for schools. This vulnerability was exposed by a student in Singapore weeks before the company suffered a major cyberattack that resulted in the mass-wiping of student devices.
Security Flaw Uncovered
In late May, a student, who chose to remain anonymous due to concerns about legal repercussions, discovered a serious security flaw in Mobile Guardian and reported it to the Singaporean Ministry of Education. The bug, which granted unauthorized “super admin” access to anyone logged into the system, was reportedly trivial for even unsophisticated attackers to exploit. Despite the student’s report, it remains unclear if the vulnerability was fully addressed before the subsequent cyberattack on August 4.
The Singaporean government confirmed to TechCrunch that the flaw was addressed before the attack. However, the student expressed doubts about the effectiveness of the fix and feared that additional vulnerabilities could be present. The vulnerability allowed users to perform administrative actions, such as resetting all personal learning devices, which could have been exploited by malicious actors.
Details of the Vulnerability
On August 5, the student publicly shared details of the vulnerability on Reddit, explaining how it allowed users to gain elevated access levels within Mobile Guardian’s user management system. The bug involved a client-side privilege escalation, where improper security checks on the server allowed any user with a browser to gain super admin rights by modifying network traffic.
A video provided by the student demonstrated how the bug worked. It showed how a user could create a “super admin” account by altering network traffic, thus gaining unauthorized access to Mobile Guardian’s dashboard, which displayed lists of enrolled schools. The video, recorded on the day the vulnerability was reported, illustrates the ease with which the bug could be exploited.
Company Response and Previous Incidents Security Flaw
Mobile Guardian, based in the U.K., disclosed the breach on August 4, after an intruder used their access to remotely wipe thousands of student devices. The company shut down its platform to halt the malicious activity but did not comment on the specific vulnerability reported by the student until later.
When contacted, Mobile Guardian CEO Patrick Lawson did not respond to initial inquiries regarding the student’s report and the status of the bug fix. Afterward, the company issued a statement confirming that previous vulnerabilities had been resolved and no longer posed a risk. However, the statement did not address whether the resolved vulnerabilities were linked to the August cyberattack.
This incident marks the second major security issue for Mobile Guardian this year. In April, the Singaporean education ministry reported a breach of the company’s management portal, compromising personal information from hundreds of schools across Singapore. The ministry attributed the breach to Mobile Guardian’s weak password policies rather than a system vulnerability.
Also read: Cyber Pro magazine