Students expressed security issues in Mobile Guardian MDM weeks before the incident

An individual posing as a student in Singapore posted a document revealing security vulnerabilities in a popular student mobile device management service called Mobile Guardian.Only weeks earlier, a hack on the company had erased swaths of data from student devices and led to countrywide outages.

He messaged the student, who requested anonymity for fear of being charged, to say that he had reported the lapse to the Singaporean government in late May but wasn't sure if it was resolved. The Singapore government announced  that the error was modified before the Guardian Mobile's cyber attack on August 4th, but students are very easy to find an error and have little experience in the excluded field. I declared for the attacker. Mobile Guardians in the UK offer software that manages thousands of schools in schools in the world with thousands of devices. The next day, the student published details of the vulnerability that he had submitted to the Singapore Ministry of Education, which has been a major Mobile Guardian customer since 2020.

In a Reddit post, the student said the security bug he found in Mobile Guardian granted logged-in users "super admin" privileges to the company's user management system. With that access, the student said, an attacker could perform actions reserved for school administrators, including the ability to “reset each person’s personal learning device,” he said. The student wrote that he reported the issue to Singapore’s Ministry of Education on May 30. Three weeks later, the ministry responded to students by telling them the flaw was "no longer an issue," but declined to share details, citing "commercial considerations," according to an email seen.

When contacted by the ministry confirmed that it had been informed of the bug by a security researcher, and that "the vulnerability had been detected as part of a previous security check and had already been fixed," according to spokesman Christopher Lee. "In addition, it was confirmed that the revealed feat was no longer functioning after the patch. In June, an independent certified tester was evaluated for additional evaluation, and no such vulnerability was found." The representative said. "However, we understand that cyber threats evolve rapidly and new vulnerabilities may be discovered," the spokesperson said, adding that the department "takes this vulnerability disclosure seriously and will thoroughly investigate it."

Any user's browser generates an exploitable error

The student explained  that the bug is a client-side privilege escalation vulnerability that would allow any user on the internet to create a new Mobile Guardian user account with a very high level of system access using only the tools in their web browser. This was allegedly caused by Mobile Guardian's servers not performing proper security checks and not trusting the user's browser response. The bug means that by modifying network traffic within the browser, servers could be tricked into granting higher levels of system access to user accounts.

On May 30, the day of the disclosure, that shows how the bug works. The video users only use a browser tool built to change network traffic, including the role of the user, to increase the access to this account of the "administrator" to "super administrators." It indicates that you will create an administrator account. The video indicates that the server accepts a changed network request and entered the system to access the panel using a recorded mobile guard as a recent account created by a user super administrator. Patrick Lawson, director of Guardian Mobile, did not respond to many comments in comments before the disclosure of students or the company's vulnerability reports. After contacting Lawson, the company updated its statement to read: “Internal and third-party investigations into previous vulnerabilities in the Mobile Guardian platform have been confirmed to be resolved and no longer pose a risk.”

The statement does not specify when the previous vulnerabilities were patched, and the statement does not explicitly rule out a link between the previous vulnerabilities and the August cyberattack.

This is the second security incident to hit Mobile Guardian this year. In April, Singapore's Ministry of Education confirmed that the company's administration portal had been hacked, exposing personal information of parents and staff at hundreds of schools across the country. The ministry blamed the hack on Mobile Guardian's lax password policies, rather than a system vulnerability.