A person claiming to be a Singaporean student has publicly released documentation showing poor security in a popular school mobile device management service called Mobile Guardian, just weeks before a cyberattack on the company led to mass wipes of students’ devices and widespread disruption.
In an email to TechCrunch, the student, who declined to be named citing fears of legal retaliation, said he reported the bug to the Singapore government via email in late May, but was unsure whether the bug was ever fixed. The Singapore government told TechCrunch that the bug was fixed before the Aug. 4 Mobile Guardian cyberattack, but the student said the bug was so easy to find and trivial for an inexperienced attacker to exploit that he fears there are other vulnerabilities with similar exploitability.
U.K.-based Mobile Guardian, which provides student device management software to thousands of schools around the world, disclosed the breach on Aug. 4 and shut down its platform to block malicious access — but not before the intruder used his access to remotely wipe thousands of student devices.
The next day, the student published details of the vulnerability that he had previously submitted to the Singapore Ministry of Education, a major Mobile Guardian customer since 2020.
In a Reddit post, the student said the security bug he found in Mobile Guardian granted any registered user “super admin” access to the company’s user management system. With that access, the student said, a malicious person could perform actions reserved for school administrators, including the ability to “reset each person’s personal learning device,” he said.
The student wrote that he reported the issue to Singapore’s education ministry on May 30. Three weeks later, the ministry responded to the student, saying the flaw was “no longer an issue,” but declined to share further details with him, citing “commercial sensitivity,” according to the email seen by TechCrunch.
Contacted by TechCrunch, the ministry confirmed that it had received notice of the bug from the security researcher and that “the vulnerability had been identified as part of a previous security screening and had already been fixed,” according to spokesman Christopher Lee.
“We also confirmed that the disclosed exploit was no longer usable after the patch. An independent certified penetration tester conducted a further assessment in June and no such vulnerability was found,” the spokesperson said.
“However, we are aware that cyber threats can evolve rapidly and new vulnerabilities can be discovered,” the spokesperson said, adding that the ministry “takes such vulnerability disclosures seriously and will investigate them thoroughly.”
Exploitable bug in anyone’s browser
The student described the bug to TechCrunch as a client-side privilege escalation vulnerability, which allowed anyone on the Internet to create a new Mobile Guardian user account with an extremely high level of access to the system using only the tools in their web browser. This was because Mobile Guardian’s servers allegedly weren’t performing proper security checks and didn’t trust the user’s browser responses.
The bug allowed the server to be tricked into accepting the highest level of system access for a user’s account by modifying network traffic in the browser.
TechCrunch has received a video, recorded on May 30, the day of the disclosure, that shows how the bug works. The video shows a user creating a “super admin” account using only the browser’s built-in tools to modify network traffic containing the user’s role to elevate that account’s access from “admin” to “super admin.”
The video showed the server accepting the modified network request, and when logging in with the newly created “super administrator” user account, you were given access to a dashboard showing lists of schools enrolled in Mobile Guardian.
Mobile Guardian CEO Patrick Lawson did not respond to multiple requests for comment before publication, including those regarding the student vulnerability report and whether the company had fixed the bug.
After reaching out to Lawson, the company updated its statement to read: “Internal and third-party investigations into previous vulnerabilities in the Mobile Guardian platform have been confirmed as resolved and no longer pose a risk.” The statement did not specify when the previous vulnerabilities were resolved, nor did it explicitly rule out a connection between the previous vulnerabilities and its August hack.
This is the second security incident to hit Mobile Guardian this year. In April, Singapore’s Ministry of Education confirmed that the company’s management portal had been hacked, and that the personal information of parents and school staff at hundreds of schools in Singapore had been compromised. The ministry attributed the breach to Mobile Guardian’s lax password policy, rather than a vulnerability in its systems.
Do you know more about the Mobile Guardian cyberattack? Are you affected? Contact us. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849, or via email. You can send files and documents via SecureDrop.