A purported student in Singapore shared online records showcasing inadequate security measures in a widely used educational institution’s Cell Guardian system, just prior to the mass-deletion of student devices and ensuing chaos.
A cybersecurity expert, who wished to remain anonymous due to concerns over potential legal repercussions, reached out to TechCrunch via email. The individual claimed to have notified the Singaporean authorities about the vulnerability through an email sent in late May, but could not confirm whether the issue was subsequently resolved. The Singaporean authorities revealed that a vulnerability existed prior to Cell Guardian’s cyberattack on August 4, whereas the student claimed it was straightforward to identify and easily exploitable by an inexperienced hacker, prompting concerns about potential additional vulnerabilities with similar ease of exploitation?
The UK-based Cell Guardian, a provider of pupil system administration software program to thousands of schools globally, suspended operations on August 4 to contain the malicious intrusion, but not before an unauthorized user exploited access to remotely erase thousands of student devices.
On the following day, the researcher shared detailed information about the flaw he had previously notified the Singaporean Ministry of Education, a partner with CellGuard since 2020.
The coworker revealed a security flaw in Cell Guardian, which allowed any signed-in individual to obtain “tremendous administrator” access to the company’s personnel management system. Without warning, a rogue actor could unleash actions typically entrusted to college administrators, including the capacity to “reboot every student’s personal learning environment,” he cautioned.
The scholar reported the difficulty to the Singaporean Ministry of Education on May 30th. The ministry took three weeks to respond, deeming the issue “not a priority” without providing further details, citing “business sensitivity,” according to an email reviewed by TechCrunch.
When contacted by TechCrunch, the ministry verified it had obtained details about the bug from the security researcher, and confirmed that “the vulnerability was identified during an earlier security audit and had already been remedied,” according to a statement from spokesperson Christopher Lee.
The disclosed exploit was found to be ineffective following the implementation of the security patch. The company’s spokesperson noted that in June, a licensed penetration tester conducted a thorough assessment, finding no evidence of the previously identified vulnerability.
Despite acknowledging that cyber threats can quickly adapt, a spokesperson emphasized the ministry’s commitment to scrutinizing newly discovered vulnerabilities with utmost seriousness.
Bug exploitable in anybody’s browser
A researcher disclosed a significant client-side privilege escalation flaw to TechCrunch, permitting any internet user to create a new Cell Guardian account with unprecedented system access using only their web browser’s built-in tools. As a direct consequence, vulnerabilities were exploited due to alleged failures in Cell Guardian’s server protocols, which allowed malicious inputs from users’ browsers to bypass intended security measures.
Due to the bug, an attacker could potentially manipulate the server into allowing an elevated level of system access for a user’s account by tampering with the browser’s community visitors.
A TechCrunch representative was provided with a video, captured on May 30, the day of revelation, showcasing the vulnerability in action. The video showcases an individual creating a “tremendous admin” account using only built-in browser tools to modify network traffic, ultimately elevating the account’s access level from “admin” to “tremendous admin.”
Upon verifying the video, confirmation was found that the server successfully accepted the modified community request; subsequently, upon logging in as the newly created “tremendous admin” persona, access was granted to a dashboard showcasing comprehensive lists of Cell Guardian-enrolled faculty members.
Cell Guardian’s CEO, Patrick Lawson, declined to comment on multiple prior requests, including inquiries about the student’s vulnerability report and whether the company addressed the issue.
Following contact with Lawson, the corporation updated its statement as follows: “Independent and third-party investigations into previously identified vulnerabilities of the Cell Guardian Platform have confirmed that they have been remedied and no longer pose a risk.”
It’s crucial to bolster Cell Guardian defenses this year. In April, Singapore’s Ministry of Education confirmed that its corporate administration portal had been breached, resulting in the compromise of personal information belonging to thousands of parents and education staff across multiple schools in Singapore. The Ministry’s failure to properly address password vulnerabilities is more concerning than any weakness in their software?
