A flaw in the student admissions website reveals personal information of children

A student admissions website used by families to register children for schools has fixed a security vulnerability that was exposing their personal information.

The Ravenna Hub website, which allows parents to apply and track the status of their children’s applications across thousands of schools, was allowing any logged-in user to access personally identifiable data associated with any other user, including their children.

The exposed data includes children’s names, dates of birth, addresses, photographs and details about their school. Parents’ email addresses and phone numbers were also revealed, as well as information about the children’s siblings.

Florida-based VentureEd Solutions, which develops and maintains Ravenna Hub, says on its website that it serves more than 1 million students and processes hundreds of thousands of applications annually.

TechCrunch first learned of the vulnerability on Wednesday and shortly after alerted the company. VentureEd fixed the bug the same day, but TechCrunch kept this report so we could verify the bug was fixed.

Nick Laird, CEO of VentureEd Solutions, told TechCrunch in an email that the company was able to replicate the issue and addressed the vulnerability.

Laird said the company is investigating the incident, but he would not commit to notifying users about the vulnerability, or say — when asked by TechCrunch — if the company has the ability to verify whether there was any improper access to other users’ data. We also asked whether Ravenna Hub’s security has been vetted by a third party, and if so, by whom. Laird did not say anything, and declined to comment further.

It’s not clear who, if anyone, oversees cybersecurity at VentureEd and Ravenna Hub.

The vulnerability is known as Insecure Direct Object Reference, or IDOR, and is a common vulnerability that allows users to access stored information due to weak or non-existent security controls on the servers in question.

In practice, the bug could have allowed any logged in user to access another student’s application file, including their personal information, by modifying the unique number associated with the student’s profile using their web browser’s address bar.

In the case of Ravenna Hub, student numbers are sequential, meaning it was possible for any user to access another student’s data by changing the profile number by one or more digits.

When TechCrunch created a new account with test data, we found that the web address contained a seven-digit number. As such, there were just over 1.63 million records prior to our registration that would have been accessed by any other user.

This is the latest security vulnerability involving minor security flaws affecting children’s personal information. In January, online mentoring site USrive disclosed the personal information of its users, many of whom are still in school.