A person claiming to be a student in Singapore has publicly posted documents showing lax security practices in Mobile Guardian, a widely used school mobile device management service, just weeks before a cyberattack on the company wiped out student devices and caused widespread disruption.
In an email to TechCrunch, the student, who declined to be named for fear of legal retribution, said he reported the bug to the Singapore government by email in late May, but he’s not sure whether it’s been fixed. The Singapore government told TechCrunch that the bug was fixed before the Aug. 4 Mobile Guardian cyberattack, but the student said the bug was so easy to find and trivial for an unsophisticated attacker to exploit that he fears there are other vulnerabilities that could be exploited in similar ways.
Mobile Guardian, a UK company that provides student device management software to thousands of schools worldwide, disclosed the breach on August 4 and shut down its platform to block malicious access, but not before the attackers used their access to remotely wipe thousands of student devices.
A day later, the student disclosed details of the vulnerability he had previously sent to the Singapore Ministry of Education, a major Mobile Guardian customer since 2020.
In a Reddit post, the student said a security bug discovered in Mobile Guardian gave any logged-in user “super admin” access to the company’s user management system. With this access, the student said, a malicious actor could perform tasks reserved only for school administrators, including the ability to “reset everyone’s personal learning devices.”
The student wrote that he reported the issue to Singapore’s Ministry of Education on May 30. Three weeks later, the ministry responded to the student that the glitch was “no longer an issue,” but declined to share further details due to “commercial sensitivity,” according to an email seen by TechCrunch.
When contacted by TechCrunch, the department confirmed that it was informed of the bug by a security researcher, and that “the vulnerability was discovered as part of a previous security review and has already been patched,” according to spokesman Christopher Lee.
“We have also confirmed that the publicly disclosed exploit no longer works after the patch. An independent certified penetration tester conducted a further assessment in June and no such vulnerabilities were detected,” the spokesperson said.
“Nevertheless, we are mindful that cyber threats can evolve rapidly and new vulnerabilities may be discovered,” the spokesperson said, adding that the department “takes these vulnerability disclosures seriously and will thoroughly investigate them.”
A bug that anyone can exploit in their browser
The student described the bug to TechCrunch as a client-side privilege escalation vulnerability that allowed anyone on the internet to create a new Mobile Guardian user account with extremely high levels of system access using only a web browser’s tools. This was because Mobile Guardian’s servers did not perform proper security checks and did not trust the user’s browser’s responses.
This bug means that by modifying the browser's network traffic, it is possible to trick the server into granting the user account higher levels of system access.
TechCrunch was provided with a video recorded on May 30, the day of its disclosure, showing how the bug works. The video shows a user creating a “super admin” account using only the browser’s built-in tools, then modifying network traffic with the user’s role to elevate that account’s access rights from “admin” to “super admin.”
The video shows the server accepting the modified network request, and logging in with the newly created “Super Admin” user account granting access to a dashboard showing the list of schools registered with Mobile Guardian.
Mobile Guardian CEO Patrick Rolson did not respond to multiple requests for comment before publication, including questions about the student's vulnerability report and whether the company had fixed the bug.
After contacting Lawson, the company updated its statement to say: “Internal and third-party investigations into previous vulnerabilities in the Mobile Guardian Platform have been resolved and it has been determined that they are no longer at risk.” The statement did not say when the previous flaws were addressed, nor did it explicitly rule out a link between the previous flaws and the August cyberattack.
This is the second security breach to hit Mobile Guardian this year. In April, Singapore’s Ministry of Education confirmed that the company’s management portal had been hacked, compromising the personal information of parents and staff at hundreds of schools across Singapore. The Ministry attributed the breach to Mobile Guardian’s lax password policy, and not to any vulnerabilities in the system.
Do you know more about the Mobile Guardian cyberattack? Are you a victim? Get in touch. You can contact this reporter via Signal and WhatsApp at +1 646-755-8849 or by email. You can send files and documents via SecureDrop.
