I alerted MOE of an impending cybersecurity attack on Mobile Guardian two months ago
By Hopeful_Chocolate080
"The vulnerability involves improper access control. This is a critical vulnerability because it allows read and modification of all data in Mobile Guardian systems. Furthermore, it is a trivial vulnerability, with reproduction not taking more than 3 minutes.
Here are the steps to reproduce the vulnerability:
Sign up for a work account at sg-portal.mobileguardian.com (note that there's an error translate::ecommerce at the location step, simply ignore the error).
• Login to the dashboard and go to the user management page.
• Invite a user and enable the role admin, making sure the email is valid.
• Open chrome devtools and navigate to the network tab.
• Edit the user without making changes and just click on update.
• Find the request to the route put sg-api.mobileguardian.com/api/users//roles.
• Right click and copy curl request, then make the request again, changing role id to 2.
• Observe that the dashboard shows that the user has roles "admin" and "super".
• Accept the invitation and login to the dashboard using the new user.
• At the top right corner, click on user settings, on the right side of the username.
• Click on the empty space between the icon and the log out button.
Now you will be brought to Mobile Guardian's administration portal.
I suspect this is Mobile Guardian's internal management portal as mentioned in MOE publications. However, contrary to the publication (which I suppose is the information Mobile Guardian provided), the management portal gives full read and write access to all schools. There is a list of all schools and users on the main page, and there is also a functionality to "impersonate" a user, which is to login as that user without their password. This would also mean that an attacker can do everything school admins can do. For instance, an attacker can reset every person's personal learning device.
At this point, I want to emphasise that this is an extremely trivial vulnerability, and on the software side this is an error even beginner software engineers will not make. I also want to advise that simply resolving this vulnerability is not going to be any effective, as there are surely many more trivial vulnerabilities similar to this one.
I strongly urge the Ministry of Education to reconsider whether Mobile Guardian is a suitable vendor to provide DMA services for schools in Singapore. Can we really entrust Singaporean's data to foreign companies under "contractual obligations"? Can Mobile Guardian handle the massive responsibility if this vulnerability is to be abused? Most importantly, can we even afford to have all our personal data be exposed to the world?
Please help to escalate this issue and I beg to be kept updated. Thank you."
More at https://www.domainofexperts.com/2024/08/i-alerted-moe-of-impending.html
By Hopeful_Chocolate080
"The vulnerability involves improper access control. This is a critical vulnerability because it allows read and modification of all data in Mobile Guardian systems. Furthermore, it is a trivial vulnerability, with reproduction not taking more than 3 minutes.
Here are the steps to reproduce the vulnerability:
Sign up for a work account at sg-portal.mobileguardian.com (note that there's an error translate::ecommerce at the location step, simply ignore the error).
• Login to the dashboard and go to the user management page.
• Invite a user and enable the role admin, making sure the email is valid.
• Open chrome devtools and navigate to the network tab.
• Edit the user without making changes and just click on update.
• Find the request to the route put sg-api.mobileguardian.com/api/users//roles.
• Right click and copy curl request, then make the request again, changing role id to 2.
• Observe that the dashboard shows that the user has roles "admin" and "super".
• Accept the invitation and login to the dashboard using the new user.
• At the top right corner, click on user settings, on the right side of the username.
• Click on the empty space between the icon and the log out button.
Now you will be brought to Mobile Guardian's administration portal.
I suspect this is Mobile Guardian's internal management portal as mentioned in MOE publications. However, contrary to the publication (which I suppose is the information Mobile Guardian provided), the management portal gives full read and write access to all schools. There is a list of all schools and users on the main page, and there is also a functionality to "impersonate" a user, which is to login as that user without their password. This would also mean that an attacker can do everything school admins can do. For instance, an attacker can reset every person's personal learning device.
At this point, I want to emphasise that this is an extremely trivial vulnerability, and on the software side this is an error even beginner software engineers will not make. I also want to advise that simply resolving this vulnerability is not going to be any effective, as there are surely many more trivial vulnerabilities similar to this one.
I strongly urge the Ministry of Education to reconsider whether Mobile Guardian is a suitable vendor to provide DMA services for schools in Singapore. Can we really entrust Singaporean's data to foreign companies under "contractual obligations"? Can Mobile Guardian handle the massive responsibility if this vulnerability is to be abused? Most importantly, can we even afford to have all our personal data be exposed to the world?
Please help to escalate this issue and I beg to be kept updated. Thank you."
More at https://www.domainofexperts.com/2024/08/i-alerted-moe-of-impending.html
