Personal details of 2.8 Lakh students and teachers enrolled on the online coding platform WhiteHat Jr operated by BYJU’S was reportedly exposed until mid-November for an undetermined period due to multiple vulnerabilities of the company’s server. After it was alerted, WhiteHat Jr allegedly patched the vulnerability, but it is still unknown if any of the user information was compromised when the bug was not fixed.
The BYJU’S-owned company was using Amazon Web Services (AWS) servers and the S3 buckets where data is stored were left open, allowing access to directories containing documents, files, data, and images, according to a cybersecurity researcher, who spoke to The Quint anonymously. Usually, these folders are stored only with a username and a password accessible by approved company staff.
WhiteHat Jr told Quint, “We reviewed our setup and patched the identified vulnerabilities based on the information received from responsible disclosures made to WhiteHatJr about possible security vulnerabilities… We always strive to enhance our customer experience and application performance, and we use different industry-validated tools and software to support this.”
Inc42 reached out to WhiteHat Jr and AWS to check the authenticity of this study and if in the period before the vulnerability was patched any user data may have been compromised. The article will be revised to include both companies’ replies.
The personal records of thousands of children, their parents, and guardians, as well as teachers, along with documents relating to WhiteHat Jr, which is currently involved in many court proceedings, were included in the database that was left open. Also, internal company records related to employee compensation and hundreds of captured videos of the classes being taught on the website of WhiteHat Jr.
WhiteHat Jr. had told the publication in response to data collection questions that the organization stores basic customer information such as name, contact information, project, and curriculum-related information, and photographs. With the appropriate consent of the individual concerned, the data collected is processed. The company stressed that no other personal identifiable information (PII) of its clients, staff, providers collected/processed on our applications by WhiteHatJr is available here.
On October 26, the researcher had reached out to WhiteHat Jr but received no response. On November 19 and 20, the researcher then sent CTO Pranab Dash to the company and received a reply on November 21. “On November 21, I received a reply from CTO Pranab Dash of the company who acknowledged the vulnerabilities and informed me that they had been taken care of the researcher told The Quint, who first mentioned this progress.
Meanwhile, WhiteHat Jr was also found to have leaked personal data through its API (Application Programming Interface), according to DINGG’s founder Santosh Patidar’s queue management app, where one user could access the data of another, including transaction information. Later on, this weakness was patched.