A purported student in Singapore has published documents revealing weak security in Mobile Guardian, a popular school mobile device management service that was targeted by a cyber attack a few weeks ago that wiped masses of student devices and caused widespread disruption.
In an email to TechCrunch, the student, who declined to be named for fear of legal retaliation, said he reported the bug to the Singapore government in late May by email but was unsure whether it had been fixed. While the Singapore government told TechCrunch the bug was fixed before the Mobile Guardian cyberattack on August 4, the student said that because the bug was easy to find and easily exploitable even by inexperienced attackers, he is concerned that there may be other vulnerabilities that could be similarly exploited.
UK-based Mobile Guardian, which provides student device management software to thousands of schools around the world, disclosed the breach on August 4 and shut down its platform to block malicious access, but the intruders used that access to remotely wipe thousands of student devices.
The next day, the student published details of the vulnerability that he had previously sent to the Singapore Ministry of Education, which has been Mobile Guardian's major client since 2020.
In a Reddit post, the student said that a security bug he discovered in Mobile Guardian granted all signed-in users “super admin” access to the company's user management system. With that access, the student said, a malicious actor could potentially perform actions only available to school administrators, such as the ability to “reset each person's personal learning devices.”
The students wrote that they reported the issue to Singapore's Ministry of Education on May 30. Three weeks later, the ministry responded to the students by telling them the flaw was “no longer an issue,” but declined to provide them with further details, citing “commercial confidentiality,” according to emails reviewed by TechCrunch.
When contacted by TechCrunch, the department confirmed that a security researcher had reported the bug, with spokesman Christopher Lee saying that “the vulnerability was discovered as part of a previous security review and had already been fixed.”
“We also confirmed that the disclosed exploit no longer worked after the patch was applied. A further assessment was carried out by an independent certified penetration tester in June, which did not detect any such vulnerabilities,” the spokesperson said.
“However, we recognize that cyber threats evolve rapidly and new vulnerabilities may be discovered,” the spokesperson said, adding that the department “takes any disclosures of such vulnerabilities seriously and will thoroughly investigate them.”
Bugs that can be exploited in anyone's browser
The students described the bug to TechCrunch as a client-side privilege escalation vulnerability that allowed anyone on the internet to create new Mobile Guardian user accounts with extremely high levels of system access using only the tools in a web browser, allegedly because Mobile Guardian's servers did not perform proper security checks and trusted responses from users' browsers.
The bug meant that by modifying the browser's network traffic, it was possible to trick the server into granting a higher level of system access for a user's account.
TechCrunch was provided with a video (recorded on May 30th when it was made public) that demonstrates how the bug works. The video shows a user creating a “superadmin” account using only the browser's built-in tools, then modifying network traffic containing the user's role, elevating that account's access from “administrator” to “superadmin.”
The video showed the server accepting the modified network request and logging in as the newly created “super admin” user account granted access to a dashboard showing a list of schools registered with Mobile Guardian.
Mobile Guardian CEO Patrick Lawson did not respond to multiple requests for comment before publication, including questions about the students' vulnerability reports and whether the company had fixed the bugs.
After we contacted Lawson, the company updated its statement to read, “Internal and third-party investigations into previous vulnerabilities in the Mobile Guardian platform have been resolved and confirmed to no longer pose a risk.” The statement did not say when the previous flaws were resolved, nor did it explicitly deny any connection between the previous flaws and the August cyberattack.
This is the second security incident to hit Mobile Guardian this year. In April, Singapore's Ministry of Education confirmed that the company's administration portal had been hacked, exposing personal information of parents and staff from hundreds of schools across Singapore. The ministry said the breach was due to the company's lax password policies, rather than vulnerabilities in Mobile Guardian's systems.
Want to know more about the Mobile Guardian cyberattack? Have you been a victim? Let us know. You can contact this reporter on Signal and WhatsApp (+1 646-755-8849) or by email. You can send us files and documents via SecureDrop.