SINGAPORE - A report made by a member of the public about a potential Mobile Guardian vulnerability was investigated by the Ministry of Education (MOE), the ministry said on Aug 9.
The report, which was made on May 30, was immediately investigated by MOE.
“We confirm that a member of the public had reported a potential vulnerability in the Mobile Guardian application to the Ministry of Education on May 30,” the ministry said.
“We had immediately investigated the report, and found that the vulnerability had been picked up as part of an earlier security screening, and had already been patched,” it added.
MOE confirmed that the disclosed exploit was no longer workable after the patch. An exploit is a program or piece of code designed to take advantage of a vulnerability in an app or computer system.
The ministry was responding to earlier queries from The Straits Times about a post on Reddit by user Hopeful_Chocolate080 on Aug 6, about how he had alerted the ministry of an “impending cyber-security attack” on the Mobile Guardian app.
Mobile Guardian is a device management app that helps parents manage their children’s device use, restricting screen time and access to specific websites and apps.
In the post, the user said he had sent multiple e-mails to MOE and Mobile Guardian about the vulnerabilities he had discovered about the app.
When ST reached out to the user, the user sent transcripts of his e-mail correspondence with both Mobile Guardian and MOE, which included information about “improper access control” which the user claimed would allow for the reading and modification of all data in Mobile Guardian’s systems.
Highlighting the vulnerability, the user wrote out steps showing how to access the Mobile Guardian admin portal.
The user said MOE had replied six days later, telling the user that it will be “reassessing their cyber-security posture”, and 19 days later, the ministry confirmed it had “reviewed the vulnerability report and confirmed that it is no longer a concern”.
The Reddit post was uploaded a day after the ministry released a statement on Aug 5 about a cyber-security attack that involved unauthorised access to its platform that affected customers globally, including about 13,000 students from 26 secondary schools here.
On Aug 5, MOE said it was alerted by some schools late at night on Aug 4 about students with iPads or Chromebooks losing access to their apps and data. Affected students had all apps remotely wiped, with some losing years of notes.
MOE said on Aug 9 that an independent certified penetration tester conducted a further assessment in June, following the report from the member of public.
No such vulnerability was detected, the ministry added.
“We had informed the member of the public accordingly, and thanked him for his feedback,” MOE said.
“Nevertheless, we are mindful that cyber threats can evolve quickly and new vulnerabilities discovered,” the ministry said.
“MOE regards such vulnerability disclosures seriously and will investigate them thoroughly.”
Members of the public can report any concerns regarding weaknesses in IT services on GovTech’s Vulnerability Disclosure portal.
This article was first published in The Straits Times. Permission required for reproduction.
