Approximately 400,000 users of Scoolio, a student community app widely used in Germany, had sensitive information exposed due to an API flaw in the platform.
Lilith Wittmann, a security researcher from the IT security collective “Zerforchung” discovered the bug and immediately disclosed their findings to the Scoolio team.
Scoolio is a German student community app that aims to build better time management skills, tutoring, homework planning, and group chats to network with peers.
The app also allows companies to network with students to share job openings or internship opportunities. Scoolio makes money by collecting data generated through these tools and features and then monetizing it with targeted advertising.
However, Scoolio states that they do not collect or share any information from students without their consent. To build student membership, Scoolio has partnered with schools around Germany to use their platform as a remote teaching assistance tool for file exchanges or remote digital homework collection.
It’s very development was financially backed by three state-owned investment groups, namely SIB Innovations – und Beteiligungsgesellschaft mbH, Technologiegründerfonds Sachsen, and Kreissparkasse Bautzen.
Due to the partnerships and government backings, many students use the app as a standard tool in their classes.
Data exposed by leaky API
In Zerforchung’s report, Wittmann explains how she exploited Scoolio API flaws to retrieve extremely sensitive data for any user ID used on the app.
- The exposed personal data includes:
- User nickname
- User and parent email addresses
- GPS location at which the app was last opened
- Name of school and class
- UUID details
- Personality traits (origin, religion, sexuality)
Wittman shared a fictitious sample of the types of data exposed by the flaw below.
While Scoolio states that 1.8 million people use their app, the researcher believes that the actual number is closer to 400,000 based on how user ids are created.
“We cannot say exactly how many students are affected.
Because scoolio artificially inflates its user numbers by creating accounts without asking: As soon as you download the app and open it once, an empty profile with a UUID is generated – regardless of whether you actually want to create a user account,” explains the Zerforchung report.