News
400,000 users exposed by API vulnerability - EXPERT COMMENT
October 2021 by Nathanael Coffing, CSO and Co-founder of Cloudentit
Scoolio, a student community app widely used in Germany, exposed the sensitive data of roughly 400,000 users due to an API vulnerability in the platform. The data exposed includes user and parent emails, GPS locations, school names and personality traits. Scoolio fixed the bug 30 days after being notified by researchers and confirmed that no user data was intercepted by third parties prior to the discovery.
Nathanael Coffing, CSO and Co-founder of Cloudentity:
“As today’s enterprises increasingly turn to application programming interfaces (APIs) to enhance user experience and drive innovation, they often overlook the need to protect these services with fine-grained authorization and consent. In this case, the exposed data was more than enough for cybercriminals to launch highly targeted phishing attacks against the impacted users. Any organization responsible for consumers’ personally identifiable information (PII) must prioritize implementing proper security guardrails to mitigate data leakage and exposure risks. Enforcing context-based granular authorization on all APIs and externalizing it from the API code prevents hackers from attacking flaws that expose sensitive personal information and ensures authorization and consent safeguards cover all users.”
