Comments
Informant rebuts MOE’s claim of patched security flaw in Mobile Guardian system
A concerned member of public reported a critical security flaw in MOE’s Mobile Guardian system two months before a hack compromised student data. Despite MOE’s claims that the issue was patched, the informant criticized the ministry’s response on Reddit, showing evidence the flaw remained.
Earlier this week, a Reddit user claimed to have previously informed the Ministry of Education (MOE) about a critical security vulnerability in the Mobile Guardian system, two months before a hack occurred, resulting in thousands of students losing their data and having the app entirely removed from the learning devices.
The individual, who provided evidence of their correspondence with MOE, has since criticised the ministry’s response, alleging that the issue was not fully addressed.
The Reddit user initially uploaded screenshots showing email exchanges with MOE’s Information Technology Division, beginning on 30 May.
MOE responded to the user on 6 June, stating that they had raised the issue with Mobile Guardian and were reassessing their “cybersecurity posture.”
By 25 June, MOE informed the user that the reported vulnerability was “no longer a concern” after a review.
In response to queries from Channel News Asia and Straits Times, MOE confirmed on Friday that it had received the vulnerability report on 30 May.
The ministry claimed that the vulnerability had already been identified and patched as part of an earlier security screening and that the exploit was no longer effective after the patch. MOE added that an independent certified penetration tester conducted a further assessment in June and detected no similar vulnerabilities.
However, the Reddit user, who goes by the handle u/Desperate_Vanilla808, in collaboration with another user, u/Hopeful_Chocolate080, who discovered the vulnerability, has since returned to the platform with a rebuttal.
In a detailed post, they expressed dissatisfaction with MOE’s handling of the situation and raised broader concerns about the effectiveness of the ministry’s cybersecurity practices.
The post highlighted that while MOE claimed the vulnerability had been patched by 30 May, they provided a video showing that the endpoint in question appeared to remain unpatched even after MOE’s assurance.
It was also pointed out that the vulnerability was trivial yet critical and questioned why it took a secondary school student under three hours to discover it, while MOE’s independent audits and regular cybersecurity testing seemingly missed it for nearly three years.
They highlighted, “While the vulnerability was discovered through an earlier security screening, it seems there was no immediate action taken to disable the Mobile Guardian system (e.g. logins or signups) to prevent potential exploitation of the vulnerability before it was patched.”
In the comments, it was noted that u/Hopeful_Chocolate080 discovered the vulnerability in August 2021 and sent feedback to Mobile Guardian but received no response from the company. As a result, u/Hopeful_Chocolate080 had to write to MOE on 18 May to voice his concerns, which initiated a series of exchanges till MOE finally asked for the vulnerability to be sent to it on 30 May.
In the Reddit post, they criticised the ministry for taking several working days to respond to their initial report and subsequent communications, arguing that such delays were unacceptable in handling security vulnerabilities.
u/Hopeful_Chocolate080 also raised concerns about the adequacy of MOE’s cybersecurity measures, “It is already less relevant how the recent hack happened and whether it was caused by a more sophisticated attack; the fact that this trivial vulnerability existed for several years should itself raise concerns. There are many important questions that MOE needs to answer here.” said the Reddit user.
In a separate response to queries from Gutzy, it was pointed out that a super admin account created using the exploit might not have been disabled or removed after the patch was applied.
They questioned whether MOE had truly followed through on its commitment to “regular auditing of all admin and vendor accounts,” a practice the ministry reportedly mentioned in public statements during the rollout of the Digital Learning Device Management (DMA) system.
The Reddit user also stated their intention to remain anonymous due to fears of retaliation and concerns about potential violations of local laws.
Despite the ministry’s reassurances, the concerns raised by the Reddit user have sparked broader discussions about the adequacy of cybersecurity measures within Singapore’s public institutions.
As MOE presumes that its reply to CNA and ST has sufficiently addressed the issue, it seems the ministry intends to conclude the matter without further engagement. However, the public can only hope that more comprehensive answers will be forthcoming when this matter is inevitably raised in the upcoming parliamentary session.
My friend’s stepmother makes $85/hr. on the laptop. She has been without work for nine months but last month her income was $18122 just working on the laptop for a few
hours. This online work is amazing.
You can also see details…. Www.Pays77.Com
But for the Reddit user, … the nation would be none the wiser, and fully accepting of MOE’s “taking a serious view” !!!
No different to the RidOut ministerial manoeuvres, … if not for KJ’s revelations !!!
SillyPoreans are missing out on a lot of relevant news, … but for disclosures outside of the regime and it’s cohorts !!!
MOE probably didn’t agree to the cost of the change request provided by the CECAdian company. Should have tap on GovTech but then they are staff by Cecadians, so it’s LPPL.
Reputation. Denials. Arrogance.
3 important PAP Administration characteristic that is preferable than be safe for students and parents of SG?
The PARAMOUNT PAP No Blame Culture is of so huge National Importance and CRUCIALITY..
WTF is all SG matters? Yes all SG matters BUT their POWER MATTERS MORE.
Arrogance.
Nothing but pure arrogance and being dismissive to anyone except themselves.
PAP know all
PAP has all
PAP is all
I say PAP must fall, dismissed and deported.
ForeSEE MOE used a piece of koyok (medicated patch) to stick onto the computer screen with Mobile Guardian logo displayed, and deemed it has patched the software vulnerability.
By massive lies, recusals, POFMA protection, AG armour fence, SPF aggressive powers under a poor, abusive Monster 👾 to people, they are damn lucky because of cotton producing sheeps, to get away with 10s of years of cheating SGpns Reserves to ownself pay ownself Millions of Dollars of Salaries AND STILL STAY in Power. Trouble with Sheeps is they were robbed of money to pay SG Govt Services to the People Staffs high salaries and undue bonuses for jobs and services to Singaporeans purportedly done well – without they understanding, perhaps due to sweets, cyanide coated candies and chemicals injected… Read more »