Around 400,000 German student records were recently exposed due to a flaw in an application programming interface (API).

The API bug was found in a student community application, known as Scoolio, a platform widely used throughout Germany. The flaw was identified by security researcher Lilith Wittmann from Germany’s IT security collective called “Zerforchung”. As soon as the dangerous bug was discovered, the collective disclosed its findings to Scoolio’s team.

What is Scoolio and how does it work?

German-owned Scoolio is a student community app that was created with the goal of enhancing time management skills, facilitating homework planning, tutoring, and offering group chats that enable students to easily network with their peers. The application also empowers enterprises to connect with campus students so they can simply share internship opportunities, and job openings.

Scoolio gains revenue by collecting information generated via these features and tools, then monetises it using targeted advertising, yet Scoolio states openly that it does not share or collect student data without prior consent.

To grow student membership, the app has now partnered with many schools across Germany. It has encouraged them use the platform to assist remote teaching. The app has been used for file exchanges and also digital homework collection remotely.

The apps development was backed financially by three state-owned investing groups.

Due to these partnerships and government support, many students now use the application as a standard tool for their classes.

Private information exposed

In the report recently issued by Zerforchung, Wittmann explained how she managed to exploit Scoolio API flaws in order to prove that extremely sensitive information could be retrieved for any user ID engaging with the application.

The exposed sensitive data of students included user nicknames, email addresses for users and their parents, most recent GPS location when the app was used, school and class names, and personal interests, along with personal details such as a user’s religion, sexuality and nation of origin.

Zerforchung commented that it disclosed the identified flaw to Scoolio back on September 21st. However, it was not under October 25th that the developer managed to resolve the issue with a security patch. As the fix was relatively simple, but the leak extremely dangerous, Wittman commented that remediation measures should have occurred sooner.

Founder of the app and CEO for Scoolio, Danny Roller made thanked the collective in a recent statement:

“I would like to thank Ms. Wittmann for the information and the SDS for the exchange and thank you for your feedback on our security measures. Fortunately, after extensive testing, we can confirm that no user data was intercepted by third parties prior to the investigation by Ms. Wittmann and we have successfully closed the gaps found.”

The Zerforchung report commented on its findings regarding how many users were impacted:

“We cannot say exactly how many students are affected. Because Scoolio artificially inflates its user numbers by creating accounts without asking.”

Scoolio currently states that around 1.8 million people use its app, although Wittman suggested that the actual number is nearer to 400,000 based on the way that user IDs are generated.