A security researcher has managed to access sensitive data from the daycare software provider KigaRoo. Once notified, the provider acted in an exemplary manner and closed the gap immediately. The case shows that “ethical hacking” can improve IT security – and why a reform of computer criminal law is overdue.
A security incident has occurred at a provider of software for kindergartens, KigaRoo. More than two million data records of adults and children are said to have been practically unprotected on the Internet. This is reported by security researcher Florian Hantke, who discovered the vulnerability and reported it to the provider. KigaRoo confirms the incident and states that it has since closed the security gap.
KigaRoo offers a comprehensive software package for kindergartens. Among other things, it can be used to handle employee management and manage waiting lists for daycare places. Parents can view details about children in a separate area with individual access data and set absences, for example. Customers include the daycare centers of Villa Luna, Infanterix and Polifant.
The manufacturer promises “the greatest possible security of your data at all times” and emphasizes: “No one but you, your employees and activated caregivers can view the data of your institution that you have released individually.”
Increment IDs
Obviously, this was not the case until recently. Logged in with a free test account, it could potentially be possible to extract masses of data by calling up certain URLs. “The vulnerabilities concerned in particular missing or incorrect authorization checks,” says Hantke. In other words, anyone who knew or guessed the format of the URLs simply had to change the user ID to gain access to the respective data set.
Such queries could be carried out with arbitrary IDs consisting of a seven-digit number. “Since all the IDs mentioned were numerical and could therefore be easily extrapolated, it would probably be possible to access data from all users,” says Hantke. This included contact details, addresses, bank details and more, according to the security researcher.
Hantke reported the vulnerability to the company last Saturday, and it was closed at the weekend. “For me, it is particularly important in such cases to report the vulnerabilities quickly so that they can be rectified immediately,” says Hantke. He was all the more pleased that “the company concerned had reacted professionally and fixed the vulnerabilities only a few hours after I reported them.”
Supervisory authority confirms closed gap
In accordance with regulations, the company sent a data breach report to the Hamburg Data Protection Authority on Monday, the supervisory authority confirms. It was a classic IDOR vulnerability (Insecure Direct Object Reference), according to the data protection authority. Her technical department was able to verify that the software error had been fixed. In addition, KigaRoo has exchanged the IDs (identifiers) for UUIDs (Universally Unique Identifiers), which makes guessing more difficult, a spokeswoman explains.
“So if a new misconfiguration of access occurs, the entire data room cannot be read out by simply guessing an ID,” says the spokeswoman. “With these two improvements, such a gap will be ruled out for the future.”
Specifically, the area on data protection information was affected. Since the General Data Protection Regulation, users have been able to request the data that the provider has stored of them. Such information from any parent user can be accessed via the appropriate URL, says Hantke. The paths for employees and children were also susceptible to such unauthorized queries.
Hundreds of thousands of accounts available
“Based on the ID, it can be estimated that there were about 1,290,000 data records of adults and 846,000 data records of children, which included the reference to the facility plus contact details, addresses, bank details, refugee status and the like,” says Hantke. However, it is conceivable that there were also test accounts among them.
It is difficult to say afterwards how many people were actually affected. In any case, there is an all-clear for possible accesses. According to the Hamburg Data Protection Authority, there was no further access to the data apart from access by the security researcher. This was reported to the corresponding daycare center. “There are three data sets there,” says the spokeswoman.
KigaRoo states to netzpolitik.org that it can “definitively exclude” that unauthorized access to the database has occurred. In addition, the company emphasizes that “no data was open” – because a test account was necessary (KigaRoo calls these accounts “admin accounts”). “The reported vulnerability would have potentially allowed access to excerpts of individual personal data records recorded in KigaRoo, but only via another admin account,” says a company spokeswoman.
Security researcher Hantke considers this to be an “unclear formulation”. It is true that with the one-time change of the ID, one only had access to another data set, Hantke said. “But of course there is nothing wrong with changing the ID several times and sending several requests in order to go through all the IDs in the end.”
The areas for notifications and so-called tasks were also not sufficiently secured. The latter could be used to call up tasks with detailed descriptions, such as information about a child. The calendar entries of any daycare center were also open, which could be downloaded as a .ics file.
Legal grey area
However, the problem does not stop at daycare centers, Hantke emphasizes. “Especially in the context of the upcoming federal elections, I think it is important to repeatedly draw attention to the dangers of inadequate IT security and the importance of ethical hackers.” “Ethical hacking” is the practice of uncovering and closing security gaps instead of exploiting them, for example, for ransomware attacks or industrial espionage.
Legally, it has been a gray area in Germany for years. Researchers who discover and report security vulnerabilities on their own risk being liable to prosecution. For example, security researcher Lilith Wittmann initially received a complaint after she discovered and reported a security vulnerability to the CDU.
Actually, the traffic light coalition, which has since collapsed, had planned to reform the controversial hacker paragraphs. However, it did not get beyond a draft law that was only presented in October. “In view of the increasing importance of digital attacks and espionage, this issue must be urgently addressed by a new government,” Hantke demands.
“Ethical hacking” improves IT security
Personally, he considers it a social gain when someone uncovers vulnerabilities in applications and responsibly points them out, says Hantke. “I’d much rather find and report a vulnerability than have a darknet trader do something else with the data. Unfortunately, I also know some people who prefer to close their eyes for fear of legal consequences or not report a vulnerability they find.”
The daycare case shows that things can be done differently – almost exemplary. “We thank you for the tip and appreciate his commitment very much,” says the KigaRoo spokeswoman about the security researcher.
