While registering a child for a school fundraiser recently, one of us happened to discover a number of very concerning privacy issues on the platform. (We are not naming the platform at this point, though it is a popular school fundraising website likely serving thousands of schools and millions of students.)
Perhaps the biggest readily observable privacy flaw is that all student profile pages are publicly accessible, contrary to what the platform website states about privacy. It is true that one must know the URL of a page to access it, but that’s quite easy to guess since the database and site URLs use sequentially incremented integer sequences as identifiers rather than UUIDs or some other unique, randomly generated identification string.
As an illustration, the child’s page URL used this syntax:
www.sitedomain.com/entityname/9347869234
Anyone can access the profile page via this URL—it’s completely public. And anyone can see all this child’s classmates by adding or subtracting one from the ID number. Keep going in either direction and you quickly get to students from other schools. Instead of using sequential numbers, which are easily guessed, the IDs should be something completely random and non-incremental like:
123e4567-e89b-12d3-a456-426614174000
It would take well over a trillion years for the fastest supercomputer to guess one of these identifiers, thereby achieving de facto privacy without requiring authentication.
There isn’t a ton of super-sensitive information visible on these student profile pages. But with children, privacy is paramount. And this is a ripe target for a coder with even a rudimentary level of knowledge to write and run a script to iterate through and amass student full names, photos, school names, and donor names (likely parents and relatives) for thousands, if not millions, of children.
Unique IDs Pointless When Indexed by Search Engines
The school signup pages do appear to use a more unique identifier, which is much more difficult to guess (though it should be longer for better security):
www.sitedomain.com/pluralentityname/EdIlHj
But that doesn’t help in this case because not only are they publicly accessible; but they are indexed by Google and therefore no guessing is even required! Landing on one of these school signup pages, one can relatively easily glean lists of teachers and students by typing a letter or designing a simple collection script.
Likely there are additional vulnerabilities that we did not uncover in our cursory exploration of the website.
Response from Fundraising Company
We reached out to the platform right away with our concerns. Thankfully they responded quickly and seemed receptive. Apparently one of these issues is on their radar and, according to the representative, they are working on it—but it’s a structural change which is not likely easy or quick to implement and would only apply to new profiles that are added to their system after the fix is in place. The second issue can be easily resolved with a couple of noindex and/or nofollow tags, or a couple of lines in robots.txt—hopefully they’ll patch that hole right away.
It was a bit concerning that the platform representative seemed to transfer the responsibility for privacy to schools and parents (“they get to choose what they put on the site”), since parents and schools don’t have the time or technical expertise to test the site’s privacy and security, and are likely to trust what the site says about privacy—which, in this case, is misleading at best.
They claimed to have IP rate-limiting measures in place—which would hopefully mitigate the damage if a bad actor tries to collect all the data stored on the platform. But, in reality, this obstacle would be fairly easy for a determined coder to work around.
These vulnerabilities stem from very basic, structural issues (i.e., cheap and/or lazy developers) that have allowed huge data breaches affecting Fiserv, Parler, and First American Title, to name a few. There are quite likely other privacy and security issues that we didn’t discover in our quick, “at a glance” examination. This company should immediately hire a third-party security advisor to perform a comprehensive audit of their website, data systems, and internal processes.
This is a great fundraising effort and we certainly don’t want to dampen enthusiasm. But that parent has changed the child’s last name to initial on the site and may or may not upload a photo. Maybe they’ll upload one of the family dog instead!
What About You?
How confident are you in the security and privacy of your website, database, custom web applications, and public-facing systems? Are you adequately protecting your clients’ or stakeholders’ personally identifiable data? If you have questions or concerns, or if you are interested in a security analysis of your website and data systems, please don’t hesitate to contact us. For updates on privacy, security, and other technology matters, follow our Facebook page.