• IP addresses are NOT logged in this forum so there's no point asking. Please note that this forum is full of homophobes, racists, lunatics, schizophrenics & absolute nut jobs with a smattering of geniuses, Chinese chauvinists, Moderate Muslims and last but not least a couple of "know-it-alls" constantly sprouting their dubious wisdom. If you believe that content generated by unsavory characters might cause you offense PLEASE LEAVE NOW! Sammyboy Admin and Staff are not responsible for your hurt feelings should you choose to read any of the content here.

    The OTHER forum is HERE so please stop asking.

Sinkie tried to warn MOE about vulnerability in Mobile Guardian app, but was told to fly kite. Look what happened now....

Aaron carter

Alfrescian
Loyal
Joined
Jun 4, 2024
Messages
790
Points
43
I alerted MOE of an impending cybersecurity attack on Mobile Guardian two months ago

By Hopeful_Chocolate080

1723018365091.png



"The vulnerability involves improper access control. This is a critical vulnerability because it allows read and modification of all data in Mobile Guardian systems. Furthermore, it is a trivial vulnerability, with reproduction not taking more than 3 minutes.

Here are the steps to reproduce the vulnerability:

Sign up for a work account at sg-portal.mobileguardian.com (note that there's an error translate::ecommerce at the location step, simply ignore the error).

• Login to the dashboard and go to the user management page.

• Invite a user and enable the role admin, making sure the email is valid.

• Open chrome devtools and navigate to the network tab.

• Edit the user without making changes and just click on update.

• Find the request to the route put sg-api.mobileguardian.com/api/users//roles.

• Right click and copy curl request, then make the request again, changing role id to 2.

• Observe that the dashboard shows that the user has roles "admin" and "super".

• Accept the invitation and login to the dashboard using the new user.

• At the top right corner, click on user settings, on the right side of the username.

• Click on the empty space between the icon and the log out button.

Now you will be brought to Mobile Guardian's administration portal.

I suspect this is Mobile Guardian's internal management portal as mentioned in MOE publications. However, contrary to the publication (which I suppose is the information Mobile Guardian provided), the management portal gives full read and write access to all schools. There is a list of all schools and users on the main page, and there is also a functionality to "impersonate" a user, which is to login as that user without their password. This would also mean that an attacker can do everything school admins can do. For instance, an attacker can reset every person's personal learning device.

At this point, I want to emphasise that this is an extremely trivial vulnerability, and on the software side this is an error even beginner software engineers will not make. I also want to advise that simply resolving this vulnerability is not going to be any effective, as there are surely many more trivial vulnerabilities similar to this one.

I strongly urge the Ministry of Education to reconsider whether Mobile Guardian is a suitable vendor to provide DMA services for schools in Singapore. Can we really entrust Singaporean's data to foreign companies under "contractual obligations"? Can Mobile Guardian handle the massive responsibility if this vulnerability is to be abused? Most importantly, can we even afford to have all our personal data be exposed to the world?

Please help to escalate this issue and I beg to be kept updated. Thank you."

More at https://www.domainofexperts.com/2024/08/i-alerted-moe-of-impending.html
 
Chow haiz still ownself fuck ownself and cumming all over themselves
 
MOE now tries to cover its own ass

Mobile Guardian potential vulnerability reported by public had been patched: MOE​


SINGAPORE - A report made by a member of the public about a potential Mobile Guardian vulnerability was investigated by the Ministry of Education (MOE), the ministry said on Aug 9.

The report, which was made on May 30, was immediately investigated by MOE.

https://www.straitstimes.com/singap...al-vulnerability-had-been-already-patched-moe
 
Back
Top