Serious Security Vulnerabilities in Mobile Guardian Exposed by Student
A recent cyberattack on Mobile Guardian, a popular school mobile device management service, has raised concerns about the company’s lax security measures. Prior to the attack, a student claiming to be from Singapore discovered a significant security bug in the system and reported it to the Singaporean government. However, the student feared legal retaliation and chose to remain anonymous.
The student stated that the bug allowed any signed-in user to gain “super admin” access to Mobile Guardian’s user management system. With this level of access, a malicious individual could perform actions that are typically reserved for school administrators, including resetting personal learning devices for all users. The student shared details of the vulnerability with the Singaporean Ministry of Education, a major customer of Mobile Guardian, in May.
The ministry responded to the student, assuring them that the bug had been addressed and was no longer a concern. However, they declined to provide further details, citing “commercial sensitivity.” According to the ministry’s spokesperson, the bug had been patched and was no longer exploitable. An independent certified penetration tester also conducted an assessment in June and found no vulnerabilities.
The bug itself was described as a client-side privilege escalation vulnerability, which allowed anyone with internet access to create a new Mobile Guardian user account with high-level system access. The bug exploited the fact that the company’s servers did not perform proper security checks and trusted responses from the user’s browser. By modifying the network traffic in the browser, the server could be tricked into accepting the elevated system access for a user’s account.
TechCrunch was provided with a video demonstration of the bug, recorded on the day of disclosure. The video showed how a user could create a “super admin” account using only the browser’s tools to modify network traffic. The server accepted the modified request and granted the account access to a dashboard displaying lists of Mobile Guardian enrolled schools.
Mobile Guardian CEO Patrick Lawson did not respond to requests for comment regarding the student’s vulnerability report or whether the bug had been fixed. However, after being contacted by TechCrunch, the company updated its statement, stating that previous vulnerabilities had been resolved and no longer posed a risk. The statement did not provide specific details about when the vulnerabilities were addressed and did not explicitly address a potential link between the previous flaws and the August cyberattack.
This incident is not the first security breach to impact Mobile Guardian. In April, the Singaporean education ministry confirmed that the company’s management portal had been hacked, compromising personal information of parents and school staff from hundreds of schools in Singapore. The breach was attributed to Mobile Guardian’s weak password policy rather than a vulnerability in its systems.
The Mobile Guardian cyberattack highlights the importance of robust security measures, particularly for services that handle sensitive data in educational settings. It also underscores the need for thorough vulnerability testing and prompt patching to prevent potential exploitation. Users should remain vigilant about the security practices of service providers and report any suspicious findings to the appropriate authorities.