Informant rebuts MOE’s claim of patched security flaw in Mobile Guardian system

Earlier this week, a Reddit user claimed to have previously informed the Ministry of Education (MOE) about a critical security vulnerability in the Mobile Guardian system, two months before a hack occurred, resulting in thousands of students losing their data and having the app entirely removed from the learning devices.

The individual, who provided evidence of their correspondence with MOE, has since criticised the ministry’s response, alleging that the issue was not fully addressed.

The Reddit user initially uploaded screenshots showing email exchanges with MOE’s Information Technology Division, beginning on 30 May.

MOE responded to the user on 6 June, stating that they had raised the issue with Mobile Guardian and were reassessing their “cybersecurity posture.”

By 25 June, MOE informed the user that the reported vulnerability was “no longer a concern” after a review.

In response to queries from Channel News Asia and Straits Times, MOE confirmed on Friday that it had received the vulnerability report on 30 May.

The ministry claimed that the vulnerability had already been identified and patched as part of an earlier security screening and that the exploit was no longer effective after the patch. MOE added that an independent certified penetration tester conducted a further assessment in June and detected no similar vulnerabilities.

However, the Reddit user, who goes by the handle u/Desperate_Vanilla808, in collaboration with another user, u/Hopeful_Chocolate080, who discovered the vulnerability, has since returned to the platform with a rebuttal.

In a detailed post, they expressed dissatisfaction with MOE’s handling of the situation and raised broader concerns about the effectiveness of the ministry’s cybersecurity practices.

The post highlighted that while MOE claimed the vulnerability had been patched by 30 May, they provided a video showing that the endpoint in question appeared to remain unpatched even after MOE’s assurance.

It was also pointed out that the vulnerability was trivial yet critical and questioned why it took a secondary school student under three hours to discover it, while MOE’s independent audits and regular cybersecurity testing seemingly missed it for nearly three years.

They highlighted, “While the vulnerability was discovered through an earlier security screening, it seems there was no immediate action taken to disable the Mobile Guardian system (e.g. logins or signups) to prevent potential exploitation of the vulnerability before it was patched.”

In the comments, it was noted that u/Hopeful_Chocolate080 discovered the vulnerability in August 2021 and sent feedback to Mobile Guardian but received no response from the company. As a result, u/Hopeful_Chocolate080 had to write to MOE on 18 May to voice his concerns, which initiated a series of exchanges till MOE finally asked for the vulnerability to be sent to it on 30 May.

In the Reddit post, they criticised the ministry for taking several working days to respond to their initial report and subsequent communications, arguing that such delays were unacceptable in handling security vulnerabilities.

u/Hopeful_Chocolate080 also raised concerns about the adequacy of MOE’s cybersecurity measures, “It is already less relevant how the recent hack happened and whether it was caused by a more sophisticated attack; the fact that this trivial vulnerability existed for several years should itself raise concerns. There are many important questions that MOE needs to answer here.” said the Reddit user.

In a separate response to queries from Gutzy, it was pointed out that a super admin account created using the exploit might not have been disabled or removed after the patch was applied.

They questioned whether MOE had truly followed through on its commitment to “regular auditing of all admin and vendor accounts,” a practice the ministry reportedly mentioned in public statements during the rollout of the Digital Learning Device Management (DMA) system.

The Reddit user also stated their intention to remain anonymous due to fears of retaliation and concerns about potential violations of local laws.

Despite the ministry’s reassurances, the concerns raised by the Reddit user have sparked broader discussions about the adequacy of cybersecurity measures within Singapore’s public institutions.

As MOE presumes that its reply to CNA and ST has sufficiently addressed the issue, it seems the ministry intends to conclude the matter without further engagement. However, the public can only hope that more comprehensive answers will be forthcoming when this matter is inevitably raised in the upcoming parliamentary session.