I alerted MOE of an impending cybersecurity attack on Mobile Guardian two months ago |
---|
By Hopeful_Chocolate080 I had known the security vulnerabilities for quite some time, and am well aware of the potential consequences. So many emails to Mobile Guardian and MOE later, it was disappointing for me to find out that everything I did was for nothing. It still took MOE an actual major cybersecurity breach to learn their lesson. While there is nothing more I could do to mitigate the attack, I wish to shed more light and bring more attention to the problem by sharing some of my correspondences with MOE here. Hopefully, this will allow us to take similar incidents more seriously in future. Correspondences In late May, after taking 10 days of negotiating a secure platform to disclose the vulnerability, I sent the following information to MOE. I also alerted MG prior to this but they did not respond to any of my emails. "The vulnerability involves improper access control. This is a critical vulnerability because it allows read and modification of all data in Mobile Guardian systems. Furthermore, it is a trivial vulnerability, with reproduction not taking more than 3 minutes. Here are the steps to reproduce the vulnerability: Sign up for a work account at sg-portal.mobileguardian.com (note that there's an error translate::ecommerce at the location step, simply ignore the error).
• Login to the dashboard and go to the user management page.
• Invite a user and enable the role admin, making sure the email is valid.
• Open chrome devtools and navigate to the network tab.
• Edit the user without making changes and just click on update.
• Find the request to the route put sg-api.mobileguardian.com/api/users/
• Right click and copy curl request, then make the request again, changing role id to 2.
• Observe that the dashboard shows that the user has roles "admin" and "super".
• Accept the invitation and login to the dashboard using the new user.
• At the top right corner, click on user settings, on the right side of the username.
• Click on the empty space between the icon and the log out button.
Now you will be brought to Mobile Guardian's administration portal. I suspect this is Mobile Guardian's internal management portal as mentioned in MOE publications. However, contrary to the publication (which I suppose is the information Mobile Guardian provided), the management portal gives full read and write access to all schools. There is a list of all schools and users on the main page, and there is also a functionality to "impersonate" a user, which is to login as that user without their password. This would also mean that an attacker can do everything school admins can do. For instance, an attacker can reset every person's personal learning device. At this point, I want to emphasise that this is an extremely trivial vulnerability, and on the software side this is an error even beginner software engineers will not make. I also want to advise that simply resolving this vulnerability is not going to be any effective, as there are surely many more trivial vulnerabilities similar to this one. I strongly urge the Ministry of Education to reconsider whether Mobile Guardian is a suitable vendor to provide DMA services for schools in Singapore. Can we really entrust Singaporean's data to foreign companies under "contractual obligations"? Can Mobile Guardian handle the massive responsibility if this vulnerability is to be abused? Most importantly, can we even afford to have all our personal data be exposed to the world? Please help to escalate this issue and I beg to be kept updated. Thank you." Here was the first response from MOE 6 days later: "Thank you for the steps. We had taken this issue up with Mobile Guardian and we are re-assessing their cybersecurity posture." MOE took another 19 days to respond a second time, per my further request for a follow-up: "Thank you for reaching out to us. We have reviewed the vulnerability report and confirmed that it is no longer a concern. However, we take data protection seriously and appreciate all vulnerability disclosures. Due to commercial sensitivity, we are unable to share information about our future engagements with Mobile Guardian. We appreciate your understanding. " More recently after some students experienced difficulties accessing the internet on their devices, I dispatched this email to the Education Minister. I have not received a reply yet, and do not believe it contributed to the eventual removal of the MG app. "I appreciate you taking the time to read this email. Recently, I was appalled by the sheer number of iPads sitting in IT departments across schools in Singapore. These were not iPads to be fixed; these were iPads waiting anxiously in line to be sentenced to the capital punishment of a factory reset. The cold, hard truth is this: Over the last few days, Singaporean students just collectively lost many months of knowledge, and this is time that they will never get back again. Two months ago, I reported a trivial but critical vulnerability in Mobile Guardian to MOE, which could give attackers access to all dashboards with full privileges (thread attached below for your reference). The arguments I presented there have only become more relevant and significant since. I strongly believe that Mobile Guardian should be removed immediately to prevent further damages, even if a replacement is not available now. I am certain that MOE is having extensive internal discussions regarding this issue. I hope I have played my part in case any information I provided here will expedite the process. Thank you for your considerations and I look forward to your reply." Final Thoughts If anything, the overall handling by the authorities with regards to this Mobile Guardian episode had been nothing short of disappointing. Just days away from National Day and what we are showing to the world is how our digital defence has failed miserably. It is ridiculous how so many students on the ground knew about the vulnerability and tried to alert the authorities, but nobody took it seriously. I cannot help but to be reminded of the attempted assassination of Donald Trump — there is just so much similarity between the two incidents. We have got to do much better than this, Singapore. Editor's Note: Screenshots of the writer's above shared email exchanges with MOE are appended below. |
YOU MAY WISH TO READ: Actual presentation slides shown to students during CCE lesson on Israel-Hamas conflict My school invited some sketchy organization over Five Reasons Teachers are Pissed Off at MOE |
Chemistry
- Mrs Grace Ong
- Mr William Lin Xijie
- Mr Joel Liu
- Mdm Rajeshwari Rai
- Mr Desmond Tan
- Mr Donnell Koh
- Mr Prakash Philip
- Mr Heng ✻
- Mr Julian Tan †
- Mr Chew
- Mr Dion Khoo
- Mr Max Lye
- Dr Aw Junxin
- Mr Ingel Soong
- Miss Ong Li Hui
- Miss Serene Ow
- Miss Foo Ee June
- Mr Edwin Cheng
- Mr Kevin Seah
- Dr Michael Fong
- Mr Koh Kian Leon
- Mr Jim Cheong
- Mr Daniel Ong
- Mr Irwin See ✻
- Mr Kelvin Yap
- Mdm Shiao Lea Yap
- Dr Choo Yan Min
- Mr Liau Chuan Yi
English /
General Paper/
Creative Writing
Physics
Biology
- Mr Duncan Ang ✻
- Dr Michael Fong
- Miss Rachel Mohd
- Mr Alex Tsui
- Ms Yap
- Mr Karman Chua
- Miss Serene Ow
- Miss Foo Ee June
- Mr Kevin Seah
- Mr Kelvin Yap
Literature/ Humanities / Social Studies
Mathematics
- Mr Tan Jun Wei
- Mr Andrew Tan
- Mr Eric Chng
- Miss Jolyn Ang
- Mr Goh Joo Heng
- Mr Andrew Yap
- Mr Jim Cheong
- Ms Debbie Teo ✻
- Mr Li Minghui Samuel
- Miss Cai Liling Clarice
- Mr Ang Wei Cang
- Mr Jerry Guo Jiayu
- Mr Raymond Ng
- Mr Alvin Au Meng Jun
- Dr Choo Yan Min
- Mr Ingel Soong
- Miss Tan Su Ping
- Mr Philip Toh
Principles of Accounts
Economics
This is a heading title
Public Opinions/ Perspectives
Listen To What They Say
Read These At Least Once
- • Things To Consider
Before / After Hiring
A Tutor
- • DIY For Tutors
- • Cut-off Point Tables
(Secondary / JC)
- • P1 Registration Balloting History