Close Menu
TechBrunchTechBrunch
  • Home
  • AI
  • Apps
  • Crypto
  • Security
  • Startups
  • TechCrunch
  • Venture

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

What's Hot

Instagram lets you share Spotify songs with your story to your sound

June 30, 2025

At every stage of TechCrunch, Charles Hudson tells us what investors really see

June 30, 2025

Baidu’s AI Breakthrough Hasn’t Been Priced In — Why BIDU Could Hit $120 Soon

June 30, 2025
Facebook X (Twitter) Instagram
TechBrunchTechBrunch
  • Home
  • AI

    OpenAI seeks to extend human lifespans with the help of longevity startups

    January 17, 2025

    Farewell to the $200 million woolly mammoth and TikTok

    January 17, 2025

    Nord Security founder launches Nexos.ai to help enterprises move AI projects from pilot to production

    January 17, 2025

    Data proves it remains difficult for startups to raise capital, even though VCs invested $75 billion in the fourth quarter

    January 16, 2025

    Apple suspends AI notification summaries for news after generating false alerts

    January 16, 2025
  • Apps

    Instagram lets you share Spotify songs with your story to your sound

    June 30, 2025

    The best iPad app to unleash and explore your creativity

    June 30, 2025

    Privacy-centric app maker Proton sues Apple over anti-competitive practices and charges alleged

    June 30, 2025

    Google is adopting AI in classrooms, including new Gemini tools for educators and chatbots for students

    June 30, 2025

    The former meta engineer has built AI tools to plan every detail of a trip

    June 30, 2025
  • Crypto

    Vitalik Buterin reserves for Sam Altman's global project

    June 28, 2025

    Calci will close a $185 million round as rival Polymeruk reportedly seeks $200 million

    June 25, 2025

    Stablecoin Evangelist: Katie Haun's Battle of Digital Dollars

    June 22, 2025

    Hackers steal and destroy millions of Iran's biggest crypto exchanges

    June 18, 2025

    Unique, a new social media app

    June 17, 2025
  • Security

    US government overthrows North Korea's major “workers” management

    June 30, 2025

    Mexican drug cartel hackers spy on FBI officials' phones to track and kill informants, the report says

    June 30, 2025

    FBI, cybersecurity firms say prolific hacking crews are currently targeting airlines and transportation sectors

    June 28, 2025

    Prolific cybercrime gangs currently targeting the airline and transportation sector

    June 27, 2025

    US and French authorities confirm arrest of a violation form hacker

    June 26, 2025
  • Startups

    7 days left: Founders and VCs save over $300 on all stage passes

    March 24, 2025

    AI chip startup Furiosaai reportedly rejecting $800 million acquisition offer from Meta

    March 24, 2025

    20 Hottest Open Source Startups of 2024

    March 22, 2025

    Andrill may build a weapons factory in the UK

    March 21, 2025

    Startup Weekly: Wiz bets paid off at M&A Rich Week

    March 21, 2025
  • TechCrunch

    OpenSea takes a long-term view with a focus on UX despite NFT sales remaining low

    February 8, 2024

    AI will save software companies' growth dreams

    February 8, 2024

    B2B and B2C are not about who buys, but how you sell

    February 5, 2024

    It's time for venture capital to break away from fast fashion

    February 3, 2024

    a16z's Chris Dixon believes it's time to focus on blockchain use cases rather than speculation

    February 2, 2024
  • Venture

    At every stage of TechCrunch, Charles Hudson tells us what investors really see

    June 30, 2025

    From $5 to Financial Empowerment: Why Stash co-founder Brandon Krieg is a must-see for TechCrunch All Stage 2025

    June 30, 2025

    A comprehensive list of 2025 tech layoffs

    June 30, 2025

    How to prepare for a second semester salary increase now live in 2025

    June 30, 2025

    Tiffany is lucky to have won a VCS at TC at every stage.

    June 30, 2025
TechBrunchTechBrunch

Students Raise Concerns About Mobile Guardian MDM Security Weeks Before Cyberattack

TechBrunchBy TechBrunchAugust 10, 20244 Mins Read
Facebook Twitter Pinterest Telegram LinkedIn Tumblr WhatsApp Email
Share
Facebook Twitter LinkedIn Pinterest Telegram Email


A purported student in Singapore has published documents revealing weak security in Mobile Guardian, a popular school mobile device management service that was targeted by a cyber attack a few weeks ago that wiped masses of student devices and caused widespread disruption.

In an email to TechCrunch, the student, who declined to be named for fear of legal retaliation, said he reported the bug to the Singapore government in late May by email but was unsure whether it had been fixed. While the Singapore government told TechCrunch the bug was fixed before the Mobile Guardian cyberattack on August 4, the student said that because the bug was easy to find and easily exploitable even by inexperienced attackers, he is concerned that there may be other vulnerabilities that could be similarly exploited.

UK-based Mobile Guardian, which provides student device management software to thousands of schools around the world, disclosed the breach on August 4 and shut down its platform to block malicious access, but the intruders used that access to remotely wipe thousands of student devices.

The next day, the student published details of the vulnerability that he had previously sent to the Singapore Ministry of Education, which has been Mobile Guardian's major client since 2020.

In a Reddit post, the student said that a security bug he discovered in Mobile Guardian granted all signed-in users “super admin” access to the company's user management system. With that access, the student said, a malicious actor could potentially perform actions only available to school administrators, such as the ability to “reset each person's personal learning devices.”

The students wrote that they reported the issue to Singapore's Ministry of Education on May 30. Three weeks later, the ministry responded to the students by telling them the flaw was “no longer an issue,” but declined to provide them with further details, citing “commercial confidentiality,” according to emails reviewed by TechCrunch.

When contacted by TechCrunch, the department confirmed that a security researcher had reported the bug, with spokesman Christopher Lee saying that “the vulnerability was discovered as part of a previous security review and had already been fixed.”

“We also confirmed that the disclosed exploit no longer worked after the patch was applied. A further assessment was carried out by an independent certified penetration tester in June, which did not detect any such vulnerabilities,” the spokesperson said.

“However, we recognize that cyber threats evolve rapidly and new vulnerabilities may be discovered,” the spokesperson said, adding that the department “takes any disclosures of such vulnerabilities seriously and will thoroughly investigate them.”

Bugs that can be exploited in anyone's browser

The students described the bug to TechCrunch as a client-side privilege escalation vulnerability that allowed anyone on the internet to create new Mobile Guardian user accounts with extremely high levels of system access using only the tools in a web browser, allegedly because Mobile Guardian's servers did not perform proper security checks and trusted responses from users' browsers.

The bug meant that by modifying the browser's network traffic, it was possible to trick the server into granting a higher level of system access for a user's account.

TechCrunch was provided with a video (recorded on May 30th when it was made public) that demonstrates how the bug works. The video shows a user creating a “superadmin” account using only the browser's built-in tools, then modifying network traffic containing the user's role, elevating that account's access from “administrator” to “superadmin.”

The video showed the server accepting the modified network request and logging in as the newly created “super admin” user account granted access to a dashboard showing a list of schools registered with Mobile Guardian.

Mobile Guardian CEO Patrick Lawson did not respond to multiple requests for comment before publication, including questions about the students' vulnerability reports and whether the company had fixed the bugs.

After we contacted Lawson, the company updated its statement to read, “Internal and third-party investigations into previous vulnerabilities in the Mobile Guardian platform have been resolved and confirmed to no longer pose a risk.” The statement did not say when the previous flaws were resolved, nor did it explicitly deny any connection between the previous flaws and the August cyberattack.

This is the second security incident to hit Mobile Guardian this year. In April, Singapore's Ministry of Education confirmed that the company's administration portal had been hacked, exposing personal information of parents and staff from hundreds of schools across Singapore. The ministry said the breach was due to the company's lax password policies, rather than vulnerabilities in Mobile Guardian's systems.

Want to know more about the Mobile Guardian cyberattack? Have you been a victim? Let us know. You can contact this reporter on Signal and WhatsApp (+1 646-755-8849) or by email. You can send us files and documents via SecureDrop.



Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

US government overthrows North Korea's major “workers” management

June 30, 2025

Mexican drug cartel hackers spy on FBI officials' phones to track and kill informants, the report says

June 30, 2025

FBI, cybersecurity firms say prolific hacking crews are currently targeting airlines and transportation sectors

June 28, 2025

Prolific cybercrime gangs currently targeting the airline and transportation sector

June 27, 2025

US and French authorities confirm arrest of a violation form hacker

June 26, 2025

Homeland Security warns about Iran-backed cyberattacks targeting US networks

June 26, 2025

Leave A Reply Cancel Reply

Top Reviews
Editors Picks

7 days left: Founders and VCs save over $300 on all stage passes

March 24, 2025

AI chip startup Furiosaai reportedly rejecting $800 million acquisition offer from Meta

March 24, 2025

20 Hottest Open Source Startups of 2024

March 22, 2025

Andrill may build a weapons factory in the UK

March 21, 2025
About Us
About Us

Welcome to Tech Brunch, your go-to destination for cutting-edge insights, news, and analysis in the fields of Artificial Intelligence (AI), Cryptocurrency, Technology, and Startups. At Tech Brunch, we are passionate about exploring the latest trends, innovations, and developments shaping the future of these dynamic industries.

Our Picks

Instagram lets you share Spotify songs with your story to your sound

June 30, 2025

At every stage of TechCrunch, Charles Hudson tells us what investors really see

June 30, 2025

Baidu’s AI Breakthrough Hasn’t Been Priced In — Why BIDU Could Hit $120 Soon

June 30, 2025

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

© 2025 TechBrunch. Designed by TechBrunch.
  • Home
  • About Tech Brunch
  • Advertise with Tech Brunch
  • Contact us
  • DMCA Notice
  • Privacy Policy
  • Terms of Use

Type above and press Enter to search. Press Esc to cancel.