A critical security flaw in the Ravenna Hub student admissions website has exposed sensitive personal information of children to unauthorized users. The website, used by families to manage school applications, allowed any logged-in user to access the personal data of other users, including children’s names, dates of birth, addresses, pictures, and school details. Additionally, parents’ email addresses, phone numbers, and information about children’s siblings were compromised.
Florida-based VentureEd Solutions, the company behind Ravenna Hub, acknowledged the issue and promptly addressed the security vulnerability after being alerted by TechCrunch. The incident has raised concerns about the oversight of cybersecurity measures at VentureEd and Ravenna Hub. The vulnerability exploited in this case is identified as an insecure direct object reference (IDOR), a common security weakness that arises due to inadequate server security controls.
While VentureEd Solutions claims to serve over a million students and facilitate hundreds of thousands of applications annually, the extent of unauthorized access and the potential impact on affected users remain unclear. The company’s CEO, Nick Laird, confirmed the fix but did not provide details on notifying users or conducting further investigations into the incident.
Source: TechCrunch