Share this article on:
A data leak on a major learning application has resulted in the data of 2 million users being exposed.
The research team for cyber security publication Cybernews discovered that the learning app LectureNotes exposed the personal and access data of users and administrators of the application as a result of a misconfigured MongoDB database. This resulted in the database being publicly accessible.
Researchers from Cybernews said that this could have been prevented with simple authentication measures.
“The rule of thumb for MongoDB administrators is always to enable authentication and ensure that only authorised users can access the database. Using strong passwords and keyfile authentication improves security,” said Cybernews researchers.
A total of 2,165,139 users had their data compromised in the leak, with data including full name, username, phone number, email, encrypted password, IP address, user-agent, session tokens and in some cases, admin authorisation details such as IDs and “secrets”.
“The exposure of session tokens poses a severe threat, potentially allowing a potential attacker to illicitly access user sessions without requiring passwords,” wrote Cybernews researchers.
“Furthermore, the compromised administrator authorisation details, including IDs and secrets, elevate the risk by providing unauthorised access to privileged accounts, possibly leading to malicious activities and unauthorised control over the platform’s functionalities.”
With the stolen session tokens, hackers would be able to access user sessions without password authentication.
Additionally, the admin credentials would allow threat groups to inject malware and deploy other attacks, such as phishing and ransomware.
Cybernews researchers added that MongoDB databases have poor default security options, and this is overlooked.
Researchers from the publication recommend users implement solutions that monitor security issues.
LecutreNotes has been downloaded over half a million times on the Google Play Store and allows students, teachers and educational institutions to share notes peer to peer.