UStrive security lapse exposed personal data of its users, including children

A security lapse on the online mentoring platform UStrive has been fixed after sensitive personal information belonging to its users, including children, was exposed.

The vulnerability allowed logged-in users to access private data belonging to other users on the platform. The exposed information included full names, email addresses, phone numbers, and additional non-public details that users had submitted to UStrive.

UStrive, a nonprofit organisation formerly known as Strive for College, offers online mentorship services to high school and college students. The organisation declined to say whether it intends to notify affected users about the incident.

The issue was brought to light last week after an individual, who requested anonymity, contacted TechCrunch to report the security flaw. The person explained that by inspecting network traffic while logged in and browsing the site — such as when viewing user profiles — it was possible to see large amounts of other users’ personal information through standard browser developer tools.

According to the individual, UStrive was using an unsecured GraphQL endpoint hosted on Amazon Web Services (AWS) infrastructure. GraphQL is a database query interface, and in this case, it provided access to extensive user data stored on UStrive’s servers. Some user records contained more detailed information than others, including student-provided data such as gender and date of birth. At the time the issue was discovered, there were reportedly at least 238,000 user records accessible. UStrive’s website, however, states that more than 1.1 million students have opted in to receive mentorship through its platform.

TechCrunch independently verified the exposure by creating a new UStrive account and observing the same behaviour. The publication then contacted the company’s executives by email on Thursday to disclose the issue.

Later that day, John D. McIntyre, an attorney at Virginia-based law firm McIntyre Stein, which represents UStrive, sent a letter to TechCrunch. In the letter, McIntyre said the organisation is currently involved in litigation with a former software engineer, which he said limited UStrive’s ability to respond fully at the time.

TechCrunch informed McIntyre that the platform was still exposing private and sensitive information belonging to children and asked to be notified if and when the issue would be addressed. McIntyre did not reply to that follow-up.

UStrive’s chief technology officer, Dwamian Mcleish, later told TechCrunch by email late Thursday that the security exposure had been “remediated.”

Following that statement, TechCrunch sent additional questions to McLeish seeking clarification on several points. These included whether UStrive plans to notify users about the incident, whether the company can determine if any user data was accessed improperly or maliciously, and whether the platform has undergone a security audit, and if so, by whom.