Connect with us

Education

Reddit post claims MOE warned of Mobile Guardian vulnerability 2 months before hack

Following a recent hack of MOE’s Mobile Guardian app affecting 13,000 students, a Redditor revealed that he had alerted MOE to security vulnerabilities two months ago. He expressed disappointment over MOE’s lack of action despite multiple emails. Gutzy has contacted MOE and Minister Chan Chun Sing for comments.

Published

on

SINGAPORE: Following a recent hack of the Ministry of Education (MOE)’s Mobile Guardian app, which affected 13,000 students, a Redditor revealed on social media that he had emailed MOE about potential security vulnerabilities as early as two months ago.

In a Reddit post dated August 5, the user shared the content of the email, noting his long-standing awareness of the app’s security issues and the potential consequences.

“So many emails to Mobile Guardian and MOE later, it is disappointing for me to find out that everything I did was for nothing. It still took MOE an actual cybersecurity breach to learn their lesson,” the user wrote.

The user expressed a desire to raise awareness about the issue by sharing his correspondence with MOE.

“Hopefully, this will allow us to take similar incidents more seriously in future.”

Gutzy has reached out to MOE and Mr Chan Chun Sing, Minister of Education for their response regarding this claim and will include their response if received.

Redditor alerts critical vulnerability in the Mobile Guardian App

In the email shared by Reddit user “Hopeful_Chocolate080,” the Redditor described a critical vulnerability in the Mobile Guardian app, which was sent to MOE in late May.

The email highlighted that the vulnerability involved improper access control, allowing unauthorized read and modification of all data within the Mobile Guardian system. The Redditor noted that this flaw could be exploited in under three minutes.

The Redditor suspected that this portal was Mobile Guardian’s internal management system, which, contrary to the information published by MOE, provided full read-and-write access to all schools and users.

This included the ability to impersonate users, meaning an attacker could perform any action that school admins could, such as resetting personal learning devices.

The Redditor emphasized that this was a trivial vulnerability, likely indicative of other similar issues.

The email urged MOE to reconsider Mobile Guardian as a vendor for DMA services, questioning the security and management of sensitive data by foreign companies under contractual obligations.

 

In an email dated 6 June, the Redditor received a brief reply from MOE, stating that they had raised the issue with Mobile Guardian and were reassessing their cybersecurity posture.

About three weeks later, the Redditor had to write to MOE again to request an update. In their response, MOE stated that they had reviewed the vulnerability report and “confirmed that it is no longer a concern.”

“However, we take data protection seriously and appreciate all vulnerability disclosures. ”

“Due to commercial sensitivity, we are unable to share information about our future engagements with Mobile Guardian. We appreciate your understanding. ”

r/singapore - Proof of Correspondence with MOE Regarding Mobile Guardian Vulnerability

 

Recently, following the loss of internet access issue involving the Mobile Guardian app, the Redditor sent another email to the MOE Minister.

The Redditor reiterated his belief that Mobile Guardian should be removed immediately to prevent further damage, even if no replacement is available at present.

The Redditor expressed pessimism about the situation, noting that he had not yet received a reply from MOE and doubted his efforts contributed to the app’s removal.

He also voiced disappointment over the cybersecurity breach on 4 August, criticizing it as a demonstration of Singapore’s digital defence failure.

“It is ridiculous how so many students on the ground knew about the vulnerability and tried to alert the authorities, but nobody took it seriously.”

“I cannot help but to be reminded of the attempted assassination of Donald Trump — there is just so much similarity between the two incidents. We have got to do much better than this, Singapore.”

I alerted MOE of an impending cybersecurity attack on Mobile Guardian two months ago
byu/Hopeful_Chocolate080 inSGExams

MOE awarded tender to Mobile Guardian in 2020

Developed by a South African firm, Mobile Guardian, a device management app (DMA), restricts users’ access to apps and websites on smartphones, tablets, and laptops.

In 2020, MOE awarded a tender to Mobile Guardian, which holds the ISO27001 certification, an international standard for information security management systems.

In April, a data leak exposed the names and email addresses of parents and teachers from several Singaporean schools.

Following the breach, MOE pledged to collaborate with cybersecurity experts to prevent future incidents.

However, the recent breach has sparked concerns about the effectiveness of these measures and the continued vulnerability of students’ personal learning devices.

Minister for Education Chan Chun Sing addressed Parliament, stating, “Mobile Guardian assessed that the compromised support account was primarily due to poor password management practices, not the result of an unauthorized individual exploiting vulnerabilities in their systems.”

Mr Chan emphasized MOE’s serious view of the incident, noting that IT service providers are contractually obligated to protect personal data.

“MOE has registered our deep dissatisfaction with Mobile Guardian over this incident. ”

“We have asked them to appoint a forensic investigator to evaluate their systems and processes and provide recommendations to prevent recurrence. Investigations are ongoing, and appropriate actions will be taken should there be breaches of contractual obligations,” he stated in May.

Despite Mr Chan’s assurances, the recent hack of Mobile Guardian raises questions about the pledges made by him and the ministry.

This is particularly concerning in light of claims made by the Reddit user, who alleged that MOE was warned about vulnerabilities in the app months before the current hack.

Share this post via:
Continue Reading
18 Comments
Subscribe
Notify of
18 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Posted in another thread: Some leads? – Codeproof Technologies Inc (USA) behind Mobile Guardian – Satish Shetty – Rajat Khare – Ajay Niranjan – Suresh Ramaiah – products: Codeproof MDM, Mobile Guardian Same like the Credit Bureau (Singapore), the information on Who is behind the development company is hard to find out in normal way. They will throw a website there, tell you what they sell, how good they are, free use for how many months, offer discounts for how long, many pictures of Ang mo, lists testimonies of its users, no office address listed, no contact person, etc etc…… Read more »

If this Chan Chun Sing were in LKY’s cabinet his head would have rolled to long ago.Former HDB minister Teh Chiang Wan took his own life when confronted with corruption.

Under LHL ,Wan Cunt Sing let Mat Selamat escape.Mat Selamat is in Singapore or out side Singapore.Gan Kim Yong as Health minister,8 out of 25 patients died in a renal ward due to beening infected with hepatitis outbreak.We do not believe in blame culture.Keppel corruption case nobody was punished.

This is LEGALISE CORRUPTION.PAP ministers and their cronies are ABOVE THE LAW.They will be protected at all cost.PAP CORRUPT.

If it is true, then the people must really kick CCS balik kampung…..lol.

The civil service will not do anything until the shit hits the fan. We can write numerous emails but will get only automated replies or they will reply that the relevant departments have been notified without revealing the actions they are taking. If you push harder, they will say it is confidential. Government agencies will also direct you to go to Court even though they issue the licences. We have no protection against bad actors in the various industries and will have to pay thousands of dollars as legal fees because of the Regulator. We need a civil service to… Read more »

Like Khaw Boon Wan slantedly pretend to accuse WP of any corruption, posing, were there acts of transfer of money from one pocket to another.

How does this apply into MoEdn and Mobile Guardian?

As James Lee has pointed out, Mobile Guardian hails from the prestigious and highly functioning state of South Africa. A land where traffic lights do not work because their electric cables have been stolen by roving gangs of thieves. Yes, out of all the companies in the world. The ruling government elites chose to do business with a company in one of the most corrupt nations on Earth. I wonder why? Did the money for the tender end up in the pockets of the ruling government’s elites? The money was certainly not spent on “cybersecurity.” Meanwhile, one of the contractors… Read more »

Last edited 3 months ago by Blankslate

Mobile Guardian is a South African firm.Another South African firm were used to recruit retired servicemen to train fighter jets pilots from CCP China.It is interesting to know whether Mobile Guardian is in any form related or owned by CCP’S interests.Foreign infiltration and acts to harm SG social structures can’t be ruled out given what CCP’s PSPs have inflicted fear and damage to the social structures of some western democracies,US,UK, France Germany Italy and Italy are in the process of getting rid of these elements.SG is of no acception.

Chan Chun Sing YOU USELESS PRICK!STEP DOWN!!!You and your ministry HAVE MADE LIFE A HELL FOR STUDENTS.

This prohlem is same like their forced vax.
Forced you dumb fucks to vax, you die, they no take responsibility.😆😆😆🤣🤣🤣🤣

What to EXPECT of PAP Administration if they ARE SEEN TO BE TOLD what to do, and SEEN to make mistakes AND POINTED out by others?

Then They WILL BE EXTREMELY EMBARASSED knowing Well THEY HAVE SCREWED Their Own Million Dollars Salaries WORTHS. So EXPECT them to DENY AND DENY AND DENY.

Remember there was a phone call made at Telok Blangah some recent years ago informing them about a verandah problem at which A SUBSEQUENT ACCIDENT happened WHICH they DENIED about phone call COMPLAINT?

Just call a spade a spade – no need a merry go round to illustrate – what has this reinforce?

The PAP Administration ARROGANCE and POSITION of ITSELF as AUTHORITATIVE, as ONE WHO KNOWS BEST, as MASTERS of SG and SHEEPS LORD, they DO NOT be TREATED to be TAUGHT to SUCK eggs!

Is my Statement CORRECT? LOOK NO further than KEPPEL BRIBERY CORRUPTION, Ridout Road SCANDALS of Self Recusals, as 2 of CLEAR SIGNS showing in DETAILS WHO is this PAP.

After this fiasco PAP will once again play musical chairs with CCS..
Now he’s in hiding writing some motherhood excuses..
Round & round he goes..where CCS will end nobody knows.. 😂
Consequences of PAP’s “no blame culture” strikes again..

Hope they don’t give excuses like “mas selamat if either inside singapore or else he must be outside singapore.”

Trending