Personal data of 2.8 Lakh students and teachers enrolled on BYJU’S-owned online coding platform WhiteHat Jr was reportedly exposed for an undetermined time due to multiple vulnerabilities of the company’s server till mid-November. WhiteHat Jr has reportedly fixed the vulnerability after it was brought to its notice, however, it is as yet unclear whether any of the user data was compromised when the flaw had not been fixed.
According to a cybersecurity researcher, who spoke to The Quint anonymously, the BYJU’S-owned company was using Amazon Web Services (AWS) servers and the S3 buckets, where data is stored, were left open, allowing access into folders containing documents, files, data and videos. Typically, these folders are stored are only accessible by authorised company personnel with a username and a password.
WhiteHat Jr told Inc42, “Based on the information received from responsible disclosures made to WhiteHatJr about possible security vulnerabilities, we reviewed our setup and patched the identified vulnerabilities… We always strive to improve our customer experience and performance of the application, and to support this we use various industry-validated tools and software.”
“I can most definitely confirm this that the patch was delivered within 24 hours of disclosure. If I remember it correctly it took 18 hours for the company to patch all vulnerabilities for the mail I had sent on 19th November,” the researcher said.
The database which was left exposed included the personal data of thousands of minors, their parents and guardians, as well as teachers along with documents related to WhiteHat Jr, which is currently embroiled in multiple court cases. Additionally, internal company documents related to employee salaries as well as dozens of recorded videos of the classes being conducted on WhiteHat Jr’s platform.
Responding to queries of data collection, WhiteHat Jr had told The Quint that the company stores basic customer data such as name, contact information, projects and curriculum-related info, and pictures. The data collected is stored with the required consent of the party involved. The company has emphasised that it does not store any personally identifiable information (PII) of its customers, employees, suppliers collected/ processed by WhiteHatJr on our applications.
The researcher had reached out to WhiteHat Jr on October 26, but received no response. The researcher then mailed the company CTO Pranab Dash on November 19 and 20, and received a response on November 21. “I got a response from the company’s CTO Pranab Dash on 21 November who acknowledged the vulnerabilities and informed me they had been taken care of,” the researcher told The Quint, which had first reported this development.
Meanwhile, according to queue management app DINGG’s founder Santosh Patidar, WhiteHat Jr was also found to have been leaking personal data through its API (Application Programming Interface), where one user could view another’s data including transaction details. This vulnerability was later fixed.
This story is developing and will be updated with more information in real-time. Do check back for an update soon.