Security researchers say a Toronto-based e-learning website called OneClass may have jeopardized the privacy of thousands of students by not properly securing a database of subscriber information.
In research shared with IT World Canada, vpnMentor — a site that evaluates virtual private networks and regularly searches the internet for poorly-secured databases — says that last month it found a 27GB Elasticsearch database with data on 1 million individuals on an Amazon S3 server belonging to OneClass.
Some of the data was masked, but other information wasn’t, including full names, email addresses, phone numbers, schools and universities attended, enrollment details and OneClass account details.
OneClass’s website says “OneClass applies necessary physical, technological and administrative measures to protect Personal Data at the level appropriate to its sensitivity.” It also says that “We store your personal data on Amazon servers located in the United States, under the highest data security standards.”
Told on May 25th of the discovery, OneClass immediately secured the S3 bucket, researchers say. However, the company said the exposed database was a test server, and any data stored within had no relation to real individuals.
vpnMentor researchers dispute that, saying they used publicly available information to verify a small sample of records in the database. “Taking the PII (personally identifiable information) data from numerous records, we found the social profiles of lecturers and other users on various platforms that matched the records in OneClass’s database.“
Had criminals also found a way to access the database the personal information would be a “goldmine” for phishing and fraud, researchers warned.
IT World Canada has tried to reach OneClass management for comment. On Tuesday evening the publication sent an email to an address on the company’s “Contact” page. However, that ended up being sent to product support. On Wednesday, IT World Canada emailed a OneClass venture capital firm which has invested in the company asking it to relay our message to OneClass management. By press time Thursday, we had not had a response.
Started in 2010, OneClass offers free and paid access to 1.5 million notes, study guides and video tutorials from student contributors at hundreds of institutions in six countries, including Canada and the U.S., to help students get better grades.
A yearly account costs $119.76. there are also monthly and quarterly options. OneClass also pays students to be Elite Note Takers. Users can also ask a tutor questions on either a yearly or monthly plan.
Students who share lecture notes earn points that can be redeemed with gift cards from Domino’s Pizza, Chipotle, Sephora, Walmart, PayPal, iTunes, Target and Amazon.
vpnMentor researchers have been searching the internet for some time exposing organizations for not securing databases. Just over a year ago, it found an unprotected database with personal and credit card information on thousands of Freedom Mobile subscribers on the Internet. The carrier, owned by Calgary’s Shaw Communications, blamed a misconfigured server managed by a company called Apptium which had been hired to streamline Freedom Mobile’s retail customer support processes.
The vpnMentor research team says it discovered the breach in OneClass’s database as part of a huge web mapping project using port scanning to examine particular IP blocks and testing different systems for weaknesses or vulnerabilities. In this case, researchers were able to access the OneClass Elasticsearch database by browser and manipulate the URL search criteria into exposing schemata from a single index at any time.
