Vulnerable data security of WhiteHat Jr lead to breach into personal data of 2.8 Lakh students and teachers enrolled on BYJU’S-owned online coding platform. The data was reportedly exposed for an undetermined time due to multiple vulnerabilities of the company’s server till mid-November. WhiteHat Jr has reportedly fixed the issue after it was brought to its notice, however, it is as yet unclear whether any of the user data was compromised when the flaw had not been fixed.
According to a cybersecurity researcher who chose to remain anonymous, the BYJU’S-owned company was using Amazon Web Services (AWS) servers and the S3 buckets, where data is stored, were left open, allowing access into folders containing documents, files, data and videos. Typically, these folders are stored are only accessible by authorised company personnel with a username and a password.
WhiteHat Jr told the press, “Based on the information received from responsible disclosures made to WhiteHatJr about possible security vulnerabilities, we reviewed our setup and patched the identified vulnerabilities… We always strive to improve our customer experience and performance of the application, and to support this we use various industry-validated tools and software.”
The database left exposed included the personal data of thousands of minors, their parents and guardians, as well as teachers along with documents related to WhiteHat Jr, which is currently embroiled in multiple court cases. Additionally, internal company documents related to employee salaries as well as dozens of recorded videos of the classes being conducted on WhiteHat Jr’s platform.
Responding to queries of data collection, WhiteHat Jr had told the publication that the company stores basic customer data such as name, contact information, projects and curriculum-related info, and pictures. The data collected is stored with the required consent of the party involved. The company has emphasised that it does not have here are no other personally identifiable information (PII) of its customers, employees, suppliers collected/ processed by WhiteHatJr on our applications.
The researcher had reached out to WhiteHat Jr on October 26, but received no response. The researcher then mailed the company CTO Pranab Dash on November 19 and 20, and received a response on November 21.
Meanwhile, according to queue management app DINGG’s founder Santosh Patidar, WhiteHat Jr was also found to have been leaking personal data through its API (Application Programming Interface), where one user could view another’s data including transaction details. This vulnerability was later fixed.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
