K-12 student geolocation data, names exposed via API flaws: 6M kids impacted

Application programming interface (API) bugs in the Edulog Parent Portal platform allowed bad actors to access names and geolocation data of six million K-12 riders, according to researchers.

Edulog Parent Portal, a service that provides real-time school bus tracking for parents of grade-school students, has since fixed the vulnerability.

According to Edulog's parent company Education Logistics, "Every day, over 6 million students are transported on over 85,000 buses routed by Edulog software."

The flaw allowed anyone who created a free Edulog account to bypass a school registration safeguards and gain “unfettered access” to any information available through the service's Parent Portal API, Tenable researchers reported Wednesday. This information included students’ names, GPS locations of the buses they were assigned to and parent contact information.

The flaws also allowed access to platform configuration details "such as usernames and encrypted passwords for third-party integrations – for individual school districts," Tenable wrote.

Tenable reported the exposed data to Edulog on Sept. 13, 2023. Edulog said all the reported issues were resolved as of Nov. 30, 2023. There is no indication the exposed data was misused prior to the fix.

Parent Portal API endpoints lacked access control outside of apps

Schools that use Edulog software provide parents access to bus route information through the Edulog Parent Portal or Edulog Parent Portal Lite mobile applications. In a typical scenario, a parent signs up for a free Edulog account and receive a registration code from their school district to gain access to the bus route information.

Tenable researchers discovered that by creating a free account and manually submitting requests directly to the Parent Portal API endpoints, they could retrieve parent, student and bus information outside of the apps and without completing school registration. The only access control measures were client-side restrictions enforced through the apps.

“By proxying traffic from these apps, [the researchers] were able to obtain the authorization token for this test user and begin querying API endpoints manually,” Tenable said in an advisory.

Children’s location information, parents’ contact info leaked

Tenable said Edulog did not indicate whether it planned to publish its own security advisory, and as of Wednesday, no such advisory appears to have been posted on the Edulog website. According to the company’s security webpage, “Edulog’s cloud environments are backed by AWS’ security measures” and its applications use “role based account access workflows.”

Tenable asserted that these types of API issues are not uncommon "in industries where the concept of data security is often conflated with compliance standards."

"In fact, it’s likely that much of the information that could have been obtained via the Parent Portal API, such as names and addresses, was already considered open data and complied with regulatory requirements," Tenable wrote while citing the Family Educational Rights and Privacy Act.