Security News > 2021 > October > Sensitive data of 400,000 German students exposed by API flaw
Approximately 400,000 users of Scoolio, a student community app widely used in Germany, had sensitive information exposed due to an API flaw in the platform.
Scoolio is a German student community app that aims to build better time management skills, tutoring, homework planning, and group chats to network with peers.
Scoolio makes money by collecting data generated through these tools and features and then monetizing it with targeted advertising.
Data exposed by leaky API. In Zerforchung's report, Wittmann explains how she exploited Scoolio API flaws to retrieve extremely sensitive data for any user ID used on the app.
Wittman shared a fictitious sample of the types of data exposed by the flaw below.
"We cannot say exactly how many students are affected. Because scoolio artificially inflates its user numbers by creating accounts without asking: As soon as you download the app and open it once, an empty profile with a UUID is generated - regardless of whether you actually want to create a user account," explains the Zerforchung report.