WhiteHat Jr, a popular online coding platform for young kids, reportedly exposed personal data of over 2.8 lakh students and teachers due to multiple vulnerabilities. The platform said that it had fixed the flaws after it was informed by a security researcher. It also claimed that "no breach of data has happened" due to the loopholes. Just last month, Mumbai-based WhiteHat Jr was found to have another security issue that was also leaking students' personal data and transaction details.
The security researcher who discovered the latest vulnerabilities within WhiteHat Jr made a disclosure to the platform on November 19, The Quint reports. The issues reportedly existed due to a misconfigured backend server that exposed data including student names, age, gender, profile photos, user IDs, parents name, and progress reports. The data is said to have included the details of a large number of minor students.
In addition to the personally identifiable information of several minor students on the platform, the vulnerabilities allowed access to information related to teachers and partners of students. Salary details of WhiteHat Jr employees as well as its internal documents and dozens of recorded videos of online classes being conducted by the platform were also exposed, according to the report.
The researcher reportedly got a response within a day after emailing its Chief Technology Officer Pranab Dash on November 19 and 20.
WhiteHat Jr acknowledged the issues and confirmed to The Quint that it fixed the identified vulnerabilities. However, it didn't provide any clarity on whether the exposed data was compromised until the fixes came in place.
Gadgets 360 reached out to WhiteHat Jr to get a comment on the security issues and clarity on whether any data was compromised.
Update: The company responded to Gadgets 360 to say that it patched specific identified vulnerabilities within 24 hours; and also claimed that no breach of data took place. The full statement is at the end of this article.
Interestingly, the latest vulnerabilities weren't the only ones impacting the security of coding-focussed WhiteHat Jr. Santosh Patidar, founder of queue management app DINGG, last month highlighted a flaw in one of the platform's APIs that was exposing personal data of students alongside transaction details.
Patidar took to LinkedIn to reveal the security flaw within WhiteHat Jr and was reached out by its CTO. He later updated the original LinkedIn post stating, “They have fixed the issue.”
Apart from the security issues, WhiteHat Jr has been facing criticism for allegedly false advertisements that feature young students. The company also recently filed a Rs. 20 crore defamation lawsuit against one of its critics, Pradeep Poonia, who alleged that the platform was not providing quality education to its students.
Founded in November 2018, WhiteHat Jr was acquired by edu-tech unicorn Byju's in August this year for $300 million (roughly Rs. 2,219 crores). The coronavirus pandemic has helped both WhiteHat Jr and Byju's to grow their businesses as people are staying indoors and are looking for online learning platforms for their children.
Update: The full statement from WhiteHat Jr is shown below.
WhiteHatJr takes security and privacy issues very seriously. We are committed to both our customers and to our compliance with applicable laws. Based on information received from responsible disclosures, we reviewed our setup and worked to patch specific identified vulnerabilities within 24 hours. We reiterate that no breach of data has happened in this context on company's computer systems and networks, out of an abundance of caution we are continuing our investigation to ensure that this is the case. We regularly undertake and continue with various initiatives to strengthen our Security and Privacy set-up and have also retained external security experts to assist us.
How are we staying sane during this Coronavirus lockdown? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.