Online coding platform for children WhiteHat Jr was found to have left personal data of 2.80 lakh students and teachers vulnerable through multiple bugs (till these were fixed by the company), The Quint has learnt.
According to responsible disclosures made by an independent security researcher to WhiteHat Jr, the Byju’s-owned company had left its backend server open that allowed access to a variety of plaintext data, including student names, age, gender, images, user IDs, parents name, and progress reports to outsiders.
The security researcher who reported the vulnerability on 19 November wished not to be named. He has confirmed to The Quint that he received an acknowledgment mail the next day and access to the company’s AWS servers have now been restricted by the company as of 20 November.
"According to what I found out the personal data of over 2.80 lakh students including names of their parents were lying exposed due to a vulnerability on the company's server side," the researcher told The Quint.
A company spokesperson, in a reply to questions by The Quint said, “WhiteHat Jr takes security and privacy issues very seriously.” According to an updated statement by the company on 25 November, “Based on information received from responsible disclosures, we reviewed our setup and worked to patch specific identified vulnerabilities within 24 hours.”
Following the publication of this story on 24 November, a company spokesperson said in an updated statement, “We reiterate that no breach of data has happened in this context on company's computer systems and networks, out of an abundance of caution we are continuing our investigation to ensure that this is the case,”
WhiteHat Jr was founded in 2018 by Karan Bajaj as an educational technology platform meant to teach coding to children between the ages of six and 18. The company was acquired by Byju’s in August for a reported sum of $300 million.
Data of Parents & Teachers
Apart from the personally identifiable information (PII) of minors, the researcher said the servers had also exposed information pertaining to teachers, parents of the students, as well as salary documents of the company, internal company documents and dozens of recorded videos of classes being conducted.
Separately, the company was also found to have been leaking personal data via its API where one user could view another’s data including transaction details. Santosh Patidar, the founder of a queue management app, posted the issue on LinkedIn and later updated that the bug had been fixed.
While multiple researchers have claimed that the company had left the servers open for several months, The Quint is unable to independently verify the exact duration of the vulnerabilities.
WhiteHat Jr’s Open Server Exposing Students’ Data
The security researcher said he found that WhiteHat Jr was using Amazon Web Service (AWS) servers and found its S3 buckets to have been left open, allowing access into a trove of folders containing documents, files, data and videos.
“Among the most serious security concern was personal information of thousands of children who had signed up onto the platform,” the researcher told The Quint, adding “this was among a large variety of other exposed data.”
Personally identifiable information or PII is any information that can identify and individual and is categorised as sensitive personal data by the Personal Data Protection Bill (PDP Bill) currently tabled in Parliament and before a joint Parliamentary Committee.
Responding to queries of data collection, WhiteHat Jr told The Quint, “We store basic customer information (name, contact information, projects and curriculum related info, pictures) with the required consent.” According to the company, “there are no other PII of our customers, employees, suppliers collected/ processed by WhiteHatJr on our applications.”
He said that he got a response within a day after directly mailing WHJ’s Chief Technology Officer (CTO) on 19 and 20 November with identified vulnerabilities including a bug that allowed others to upload files onto the company’s servers. “I got a response from the company’s CTO Pranab Dash on 21 November who acknowledged the vulnerabilities and informed me they had been taken care of.”
In a screenshot of the emails exchanged with Dash that was shared with The Quint, Dash acknowledged the mails and responded, “We have restricted write permission to all our S3 buckets. Is anything still open?” He also sent a separate mail thanking the researcher for the disclosures.
“Based on the information received from responsible disclosures made to WhiteHatJr about possible security vulnerabilities, we reviewed our setup and patched the identified vulnerabilities,” the company said in its response to The Quint.
“We always strive to improve our customer experience and performance of the application, and to support this we use various industry-validated tools and software,” the response further stated.
A company spokespwerson aadded that they have also retained external security experts to assist them.
API Leaking Personal Data & Transaction Details
In a separate issue but one that was also leaking personal data as well as transaction details of payments made by parents, Santosh Patidar, founder of queue management app DINGG, had also highlighted a vulnerability.
In a post published on LinkedIn, Patidar wrote on 20 Oct, “Personal details of the kids along with their transaction (purchase) details are openly (not so open) available. WhiteHat Jr BYJU’s team check your web logs, I am sure you will find the issue otherwise DM me.”
Patidar later updated the same post stating, “They have fixed the issue.” He went on elaborate on the vulnerability, revealing that the API was leaking personal data of children.
“Pranab Dash CTO approached me last night to understand the bug, and now I can confirm that they have fixed it now... One of their API was exposing too much data. It’s still the same but its authorised so that’s not an issue. Until last night it was allowing access to other users data using your Auth (authorisation) token (sic).”
WHJ’s Advertisement Setback & Defamation Suits
Developments around WHJ’s security issues comes at a time when the company has been ordered by the Advertising Standards Council of India (ASCI) to remove five advertisements for not adhering to advertising standards.
In a Rs 20 crore defamation suit the company filed against Pradeep Poonia, a software engineer, on 21 November, WHJ had stated that a 13-year-old boy called Wolf Gupta, who was advertised as having developed an app, was “fictitious”. Poonia had tweeted as well as published videos on YouTube about the company’s advertisements including those about ‘Wolf Gupta’ and about its teachers and curriculum.
Poonia was also part of the Telegram groups comprising security researchers who had discovered vulnerabilities in the product and made responsible disclosures to the company.
On 23 November, the company filed a second defamation case, this time against angel investor Annirudh Malpani.
Below is WhiteHat Jr’s official response to The Quint’s queries in full:
"WhiteHatJr takes security and privacy issues very seriously. We store basic customer information (name, contact information, projects and curriculum related info, pictures) with the required consent. There are no other PII of our customers, employees, suppliers collected/ processed by WhiteHatJr on our applications. We always strive to improve our customer experience and performance of the application, and to support this we use various industry-validated tools and software.
Based on the information received from responsible disclosures made to WhiteHatJr about possible security vulnerabilities, we reviewed our setup and patched the identified vulnerabilities. The fixes were applied immediately on identification and detection of the vulnerabilities in our applications and servers.
We regularly undertake and continue with various initiatives to strengthen our Security and Privacy set-up, including a Bug Bounty Program."