The vulnerability in UStriv exposed the personal data of its users, including children

Online routing website UStriv has resolved a security flaw that exposed the personal information of its users, including children.

The exposed data included full names, email addresses, phone numbers, other non-public information, and information provided by USrive users, which was accessible to any other logged in user.

The nonprofit, formerly known as Strive for College, provides online mentoring to high school and college students through its platform. The organization did not say whether it plans to inform users of the security incident.

Last week, a person who requested to remain anonymous alerted TechCrunch to a security flaw in USrive’s routing platform. By examining network traffic while logged in and navigating the site—such as viewing user profiles—a person can see streams of users’ personal information in their browser tools.

USrive was relying on a vulnerable Amazon-hosted GraphQL endpoint — a type of query database interface — that allows access to sets of user data stored on USrive’s servers, the person said. Some user records contain more data than others, including information provided by the requester, such as their gender and date of birth. There were at least 238,000 user records at the time of discovery, the person said. Meanwhile, USrive states on its homepage that more than “1.1 million students have chosen to get a USrive mentor.”

TechCrunch confirmed the data exposure after creating a new user account on USrive, and notified company executives via email on Thursday.

John D. said: McIntyre, an attorney with the Virginia law firm McIntyre Stein, which represents USrive, said in a letter provided to TechCrunch later Thursday that USrive is “currently in litigation with one of its former software engineers,” and so the company is “somewhat limited in its ability to respond.”

TechCrunch told McIntyre that the company at the time was still struggling with a vulnerability that exposed children’s private and personal information, and asked McIntyre to notify TechCrunch if USrive planned to fix the data disclosure, and if so, by when.

McIntyre did not respond to our inquiry.

In response to TechCrunch’s initial outreach, Dwamian Mcleish, chief technology officer at USrive, told TechCrunch via email late Thursday that the exposure had been “addressed.”

TechCrunch sent follow-up emails to Mcleish with more questions about the incident, including: whether the company planned to notify its users about the vulnerability, whether the company had the ability to verify whether there was any inappropriate or malicious access to users’ data, whether the company’s platform had undergone a security audit, and if so, by whom.

USrive founder, Michael J. Carter, has not commented for this article.