A student admissions website used for enrolling children into schools has corrected a security issue that was leaking personal data. Ravenna Hub, which allows parents to apply and monitor application statuses for their children at numerous schools, had a flaw letting any user with access view another user’s personal details, including their children’s information.
Exposed data included children’s names, birthdates, addresses, images, and school details. Parents’ emails and phone numbers, plus information about siblings, were also vulnerable.
Managed by Florida-based VentureEd Solutions, which supports over a million students and handles hundreds of thousands of applications annually, Ravenna Hub faced a significant vulnerability. TechCrunch discovered this flaw on Wednesday, alerting the company promptly. VentureEd addressed the issue the same day, and this report followed a confirmation that the issue was resolved.
Nick Laird, VentureEd’s CEO, confirmed the problem had been replicated and resolved in an email to TechCrunch. Despite the fix, Laird did not guarantee that users would be notified or whether there was any unauthorized data access. Queries about third-party security checks and responsible parties for cybersecurity went unanswered.
The flaw, an insecure direct object reference (IDOR), a common security vulnerability, allowed logged-in users to access another student’s data by altering the URL’s unique student number in their browser.
Ravenna Hub’s student numbers were sequential, so users could change the profile number to view data not their own. A test account creation revealed over 1.63 million records were exposed before the issue was fixed.
This incident is another example of simple security flaws compromising children’s personal information. In January, UStrive, an online mentoring platform, had a similar lapse exposing user data, including that of children.