Close Menu
TechBrunchTechBrunch
  • Home
  • AI
  • Apps
  • Crypto
  • Security
  • Startups
  • TechCrunch
  • Venture

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

What's Hot

The court denied requests to suspend awards regarding Apple's App Store payment fees

June 6, 2025

Circle IPOs are giving hope to more startups waiting to be published to more startups

June 5, 2025

Perplexity received 780 million questions last month, the CEO says

June 5, 2025
Facebook X (Twitter) Instagram
TechBrunchTechBrunch
  • Home
  • AI

    OpenAI seeks to extend human lifespans with the help of longevity startups

    January 17, 2025

    Farewell to the $200 million woolly mammoth and TikTok

    January 17, 2025

    Nord Security founder launches Nexos.ai to help enterprises move AI projects from pilot to production

    January 17, 2025

    Data proves it remains difficult for startups to raise capital, even though VCs invested $75 billion in the fourth quarter

    January 16, 2025

    Apple suspends AI notification summaries for news after generating false alerts

    January 16, 2025
  • Apps

    The court denied requests to suspend awards regarding Apple's App Store payment fees

    June 6, 2025

    Perplexity received 780 million questions last month, the CEO says

    June 5, 2025

    Bonfire's new software allows users to build their own social communities free from platform control

    June 5, 2025

    x Test to highlight posts that users with dissent

    June 5, 2025

    Google says the updated Gemini 2.5 Pro AI model is excellent at coding

    June 5, 2025
  • Crypto

    Circle IPOs are giving hope to more startups waiting to be published to more startups

    June 5, 2025

    GameStop bought $500 million in Bitcoin

    May 28, 2025

    Vote for the session you want to watch in 2025

    May 26, 2025

    Save $900 + 90% from 2 tickets to destroy 2025 in the last 24 hours

    May 25, 2025

    Only 3 days left to save up to $900 to destroy the 2025 pass

    May 23, 2025
  • Security

    Humanity unveils custom AI models for US national security customers

    June 5, 2025

    Unlock phone company Cellebrite to acquire mobile testing startup Corellium for $170 million

    June 5, 2025

    Ransomware Gangs claim responsibility for Kettering Health Hack

    June 4, 2025

    Former CTO of CrowdStrike's cyber-rivals and how automation can undermine security for early-stage startups

    June 4, 2025

    Data breaches at newspaper giant Lee Enterprises impact 40,000 people

    June 4, 2025
  • Startups

    7 days left: Founders and VCs save over $300 on all stage passes

    March 24, 2025

    AI chip startup Furiosaai reportedly rejecting $800 million acquisition offer from Meta

    March 24, 2025

    20 Hottest Open Source Startups of 2024

    March 22, 2025

    Andrill may build a weapons factory in the UK

    March 21, 2025

    Startup Weekly: Wiz bets paid off at M&A Rich Week

    March 21, 2025
  • TechCrunch

    OpenSea takes a long-term view with a focus on UX despite NFT sales remaining low

    February 8, 2024

    AI will save software companies' growth dreams

    February 8, 2024

    B2B and B2C are not about who buys, but how you sell

    February 5, 2024

    It's time for venture capital to break away from fast fashion

    February 3, 2024

    a16z's Chris Dixon believes it's time to focus on blockchain use cases rather than speculation

    February 2, 2024
  • Venture

    Less than 48 hours left until display at TC at all stages

    June 5, 2025

    TC Session: AI will be on sale today at Berkeley

    June 5, 2025

    North America accounts for the majority of AI VC investment despite the harsh political environment

    June 5, 2025

    3 days left: Charge all your locations in stages on TC Expo Floor

    June 4, 2025

    From $5 to Financial Empowerment: Why Stash co-founder Brandon Krieg is a must-see for TechCrunch All Stage 2025

    June 4, 2025
TechBrunchTechBrunch

Students Raise Concerns About Mobile Guardian MDM Security Weeks Before Cyberattack

TechBrunchBy TechBrunchAugust 10, 20244 Mins Read
Facebook Twitter Pinterest Telegram LinkedIn Tumblr WhatsApp Email
Share
Facebook Twitter LinkedIn Pinterest Telegram Email


A purported student in Singapore has published documents revealing weak security in Mobile Guardian, a popular school mobile device management service that was targeted by a cyber attack a few weeks ago that wiped masses of student devices and caused widespread disruption.

In an email to TechCrunch, the student, who declined to be named for fear of legal retaliation, said he reported the bug to the Singapore government in late May by email but was unsure whether it had been fixed. While the Singapore government told TechCrunch the bug was fixed before the Mobile Guardian cyberattack on August 4, the student said that because the bug was easy to find and easily exploitable even by inexperienced attackers, he is concerned that there may be other vulnerabilities that could be similarly exploited.

UK-based Mobile Guardian, which provides student device management software to thousands of schools around the world, disclosed the breach on August 4 and shut down its platform to block malicious access, but the intruders used that access to remotely wipe thousands of student devices.

The next day, the student published details of the vulnerability that he had previously sent to the Singapore Ministry of Education, which has been Mobile Guardian's major client since 2020.

In a Reddit post, the student said that a security bug he discovered in Mobile Guardian granted all signed-in users “super admin” access to the company's user management system. With that access, the student said, a malicious actor could potentially perform actions only available to school administrators, such as the ability to “reset each person's personal learning devices.”

The students wrote that they reported the issue to Singapore's Ministry of Education on May 30. Three weeks later, the ministry responded to the students by telling them the flaw was “no longer an issue,” but declined to provide them with further details, citing “commercial confidentiality,” according to emails reviewed by TechCrunch.

When contacted by TechCrunch, the department confirmed that a security researcher had reported the bug, with spokesman Christopher Lee saying that “the vulnerability was discovered as part of a previous security review and had already been fixed.”

“We also confirmed that the disclosed exploit no longer worked after the patch was applied. A further assessment was carried out by an independent certified penetration tester in June, which did not detect any such vulnerabilities,” the spokesperson said.

“However, we recognize that cyber threats evolve rapidly and new vulnerabilities may be discovered,” the spokesperson said, adding that the department “takes any disclosures of such vulnerabilities seriously and will thoroughly investigate them.”

Bugs that can be exploited in anyone's browser

The students described the bug to TechCrunch as a client-side privilege escalation vulnerability that allowed anyone on the internet to create new Mobile Guardian user accounts with extremely high levels of system access using only the tools in a web browser, allegedly because Mobile Guardian's servers did not perform proper security checks and trusted responses from users' browsers.

The bug meant that by modifying the browser's network traffic, it was possible to trick the server into granting a higher level of system access for a user's account.

TechCrunch was provided with a video (recorded on May 30th when it was made public) that demonstrates how the bug works. The video shows a user creating a “superadmin” account using only the browser's built-in tools, then modifying network traffic containing the user's role, elevating that account's access from “administrator” to “superadmin.”

The video showed the server accepting the modified network request and logging in as the newly created “super admin” user account granted access to a dashboard showing a list of schools registered with Mobile Guardian.

Mobile Guardian CEO Patrick Lawson did not respond to multiple requests for comment before publication, including questions about the students' vulnerability reports and whether the company had fixed the bugs.

After we contacted Lawson, the company updated its statement to read, “Internal and third-party investigations into previous vulnerabilities in the Mobile Guardian platform have been resolved and confirmed to no longer pose a risk.” The statement did not say when the previous flaws were resolved, nor did it explicitly deny any connection between the previous flaws and the August cyberattack.

This is the second security incident to hit Mobile Guardian this year. In April, Singapore's Ministry of Education confirmed that the company's administration portal had been hacked, exposing personal information of parents and staff from hundreds of schools across Singapore. The ministry said the breach was due to the company's lax password policies, rather than vulnerabilities in Mobile Guardian's systems.

Want to know more about the Mobile Guardian cyberattack? Have you been a victim? Let us know. You can contact this reporter on Signal and WhatsApp (+1 646-755-8849) or by email. You can send us files and documents via SecureDrop.



Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Humanity unveils custom AI models for US national security customers

June 5, 2025

Unlock phone company Cellebrite to acquire mobile testing startup Corellium for $170 million

June 5, 2025

Ransomware Gangs claim responsibility for Kettering Health Hack

June 4, 2025

Former CTO of CrowdStrike's cyber-rivals and how automation can undermine security for early-stage startups

June 4, 2025

Data breaches at newspaper giant Lee Enterprises impact 40,000 people

June 4, 2025

Phone Chipmaker Qualcomm fixes 3 zero-days exploited by hackers

June 3, 2025

Leave A Reply Cancel Reply

Top Reviews
Editors Picks

7 days left: Founders and VCs save over $300 on all stage passes

March 24, 2025

AI chip startup Furiosaai reportedly rejecting $800 million acquisition offer from Meta

March 24, 2025

20 Hottest Open Source Startups of 2024

March 22, 2025

Andrill may build a weapons factory in the UK

March 21, 2025
About Us
About Us

Welcome to Tech Brunch, your go-to destination for cutting-edge insights, news, and analysis in the fields of Artificial Intelligence (AI), Cryptocurrency, Technology, and Startups. At Tech Brunch, we are passionate about exploring the latest trends, innovations, and developments shaping the future of these dynamic industries.

Our Picks

The court denied requests to suspend awards regarding Apple's App Store payment fees

June 6, 2025

Circle IPOs are giving hope to more startups waiting to be published to more startups

June 5, 2025

Perplexity received 780 million questions last month, the CEO says

June 5, 2025

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

© 2025 TechBrunch. Designed by TechBrunch.
  • Home
  • About Tech Brunch
  • Advertise with Tech Brunch
  • Contact us
  • DMCA Notice
  • Privacy Policy
  • Terms of Use

Type above and press Enter to search. Press Esc to cancel.