WhiteHat Jr, a popular online coding platform for young kids, reportedly exposed personal data of over 2.8 lakh students and teachers due to multiple vulnerabilities that existed in its servers until the middle of November. The platform said that it has fixed the flaws after it was informed by a security researcher. It is, however, unclear whether the affected data was compromised until the loopholes were not patched. Just last month, Mumbai-based WhiteHat Jr was found to have another security issue that was also leaking students’ personal data and transaction details.
The security researcher who discovered the latest vulnerabilities within WhiteHat Jr made multiple disclosures to the platform for over a month between October 6 and November 20, The Quint reports. The issues reportedly existed due to a misconfigured backend server that exposed data including student names, age, gender, profile photos, user IDs, parents name, and progress reports. The data is said to have included the details of a large number of minor students.
In addition to the personally identifiable information of several minor students on the platform, the vulnerabilities allowed access to information related to teachers and partners of students. Salary details of WhiteHat Jr employees as well as its internal documents and dozens of recorded videos of online classes being conducted by the platform were also exposed, according to the report.
The researcher reportedly didn’t receive any correspondence from WhiteHat Jr initially. However, he got a response within a day after emailing its Chief Technology Officer Pranab Dash on November 19 and 20.
WhiteHat Jr acknowledged the issues and confirmed to The Quint that it fixed the identified vulnerabilities. However, it didn’t provide any clarity on whether the exposed data was compromised until the fixes came in place.
Gadgets 360 has reached out to WhiteHat Jr to get a comment on the security issues and this report will be updated when the company responds.
Interestingly, the latest vulnerabilities weren’t the only ones impacting the security of coding-focussed WhiteHat Jr. Santosh Patidar, founder of queue management app DINGG, last month highlighted a flaw in one of the platform’s APIs that was exposing personal data of students alongside transaction details.
Patidar took to LinkedIn to reveal the security flaw within WhiteHat Jr and was reached out by its CTO. He later updated the original LinkedIn post stating, “They have fixed the issue.”
Apart from the security issues, WhiteHat Jr has been facing criticism for allegedly false advertisements that feature young students. The company also recently filed a Rs. 20 crore defamation lawsuit against one of its critics, Pradeep Poonia, who alleged that the platform was not providing quality education to its students.
Founded in November 2018, WhiteHat Jr was acquired by edu-tech unicorn Byju’s in August this year for $300 million (roughly Rs. 2,219 crores). The coronavirus pandemic has helped both WhiteHat Jr and Byju’s to grow their businesses as people are staying indoors and are looking for online learning platforms for their children.
How are we staying sane during this Coronavirus lockdown? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.