Student warned of vulnerability in Mobile Guardian MDM weeks before cyberattack

Andrew TetzeliAndrew Tetzeli
2 min read

Table of contents

Using vulnerable security protocols and not following through adequately on warnings is bad. The experience should encourage better DevOps, at least.

The warnings

Weeks before the mass-wiping of students' devices because of an attack on Mobile Guardian, which provides Mobile Device Management (MDM), a student had warned of vulnerabilities in the software that could be exploited through simple browser sessions.

According to TechCrunch, the student had warned the Singaporean government, a major customer of UK-based Mobile Guardian, that any signed-in user could gain “super admin” access to the company’s user management system through browsers. Super-admin privileges include the ability to reset every device subscribed to the Mobile Guardian MDM -- which is what happened to thousands of students' devices.

The Singaporean education ministry acknowledged it had received the warning but that the vulnerability had already been patched. Obviously not.

Even more troubling is that an independent certified penetration tester who had been hired to follow up, according to the Singaporean education ministry, ran tests and did not detect such a vulnerability.

Client-side privilege escalation vulnerability

Client-side privilege escalation vulnerability is rather basic and should not occur. With proper authentication and control safeguards in place, it does not happen.

When the vulnerability is present, someone can use tools built in to browsers to modify the network traffic for the user’s role to elevate that account’s privileges from “admin” to “super admin.”

That is exactly what the student had demonstrated and was vulnerable in the warning. The student showed they were able to gain access to a dashboard of lists of schools subscribing to Mobile Guardian.

Yet the pentester did not pick up on that vulnerability. That's a big issue too, that only compounded the software company's cybersecurity weakness and not remediating it.

Second time this year for Mobile Guardian

Earlier this year lax password policies at Mobile Guardian led to a hack of its management portal and the compromise of Personally Identifiable Information (PII) belonging to parents and school staff at scores of schools in Singapore.

Methinks there's a problem with the DevOps culture at Mobile Guardian. Stay tuned.

0
Subscribe to my newsletter

Read articles from Andrew Tetzeli directly inside your inbox. Subscribe to the newsletter, and don't miss out.

client-side privilege escalationPrivilege Escalationvulnerabilitypentesting

Written by

Andrew Tetzeli
Andrew Tetzeli

I provide bespoke software development and other IT solutions, including sysadmin, network management, and cybersecurity. I work in and on iOS, Android, macOS, Windows, Linux development; Python; C/#/++; Swift; Java (!); JavaScript; PHP; SQL...