Bug in student admissions website exposed children’s personal information

A student admissions website used by families to enrol children in schools has fixed a security flaw that exposed sensitive personal information.

The website, Ravenna Hub, which parents use to apply to schools and track the status of their children’s applications across thousands of institutions, was allowing any logged-in user to access personally identifiable data tied to other users — including information about their children.

The exposed data included children’s names, dates of birth, home addresses, photographs, and school details. Parents’ email addresses and phone numbers were also accessible, along with information about children’s siblings.

VenturEd Solutions, the Florida-based company that develops and maintains Ravenna Hub, says on its website that the platform serves more than 1 million students and processes hundreds of thousands of applications each year.

Nick Laird, chief executive of VenturEd Solutions, said in an email that the company had reproduced the issue and had since fixed the vulnerability.

Laird said the company is investigating the incident, but he did not commit to notifying users about the security lapse. He also did not say whether VenturEd could determine whether there was any improper access to other users’ data. When asked whether Ravenna Hub’s security had been reviewed by a third-party — and if so, by whom — Laird declined to provide details and did not comment further.

It is not clear who, if anyone, is responsible for cybersecurity oversight at VenturEd and Ravenna Hub.

The weakness is known as an insecure direct object reference, or IDOR — a common type of flaw that can allow users to access stored information due to weak or missing access controls on the server.

In practical terms, the bug allowed any logged-in user to access another student’s profile and personal details by changing the unique number tied to a student record directly in the browser’s address bar.

In Ravenna Hub’s case, those student numbers were sequential, meaning a user could access other students’ data by incrementing or decrementing the profile number by 1 or more digits.

After creating a new account with test data, it was found that the profile URL contained a seven-digit number. That indicated that slightly more than 1.63 million records existed before the test account and were accessible to any other logged-in user.

The incident is the latest example of a basic security flaw exposing children’s personal information. In January, online mentoring platform UStrive exposed user data, including information tied to students who are still in school.