Sunday, January 17, 2016

Schooly exposed in Amazon AWS

Today, Haaretz newspaper published my study, about Schooly, a platform, which enable schools to have online system, to support verity of activities related to the schools needs

 There was a huge exposure, included very sensitive information of kids
 

It's all started from a research that's me and Samuel Crdillo were doing, about Amazon AWS, and later a tool has been created which called "Bucket-Hunter"





Before publishing, out work, I was thinking how can I limit the impact on Israeli users

So I went to Google, and made some Google Dorks (strings, which brings you sensitive results).


As more as I checked, Schooly were the main results, all over Google, this while checking for Hebrew words, like ID + s3.amazonaws.com 

The problem went far away, since it was not only Google exposure, but the main bucket were open to anyone






Just before speaking with Schooly, they fixed the ability to see the bucket list. Yet, downloading the files were possible even after few month

In the situation when young kids are being exposed, the government should open protection program.







The problem were in both side, Schooly as well as the schools who publish sensitive information of kids (six years old is too sensitive) 

The files which exposed in the bucket were under schooly care, yet if a school is published something it's different story.

It's time for the ministry of education, to make a change - since this is a big failure of 100,000, kids which have a potential identity and physical reaction to the exposure.



No comments:

Post a Comment