Icon: enlarge
Hasso Plattner Institute: The HPI School Cloud was developed as a non-commercial platform
Photo: Sascha Steinach / imago images
The Hasso Plattner Institute (HPI) claims to have closed two security holes in the HPI school cloud.
Previously, the editorial staff of the IT magazine "c't" had been made aware of the problems associated with the Thuringian school cloud by a whistleblower.
The solution in Thuringia is based on the HPI platform.
A weak point in the system meant that not only teachers and students could have registered.
In detail, it concerns, among other things, an inadvertently not deactivated demo account.
The whistleblower - and thus in principle everyone else - was able to log into the Thuringian school cloud with the user name schueler@schul-cloud.org and via a small detour in the browser, reports the "c't".
With the help of the demo account, access to handwritten assessed tests and exercise sheets was possible via actually secret links, it is said, as well as to class and teacher lists, including contact details.
Videos could also be found.
After the HPI was confronted with the problems by "c't", the institute behaved in an exemplary manner and repaired the gaps, writes the computer magazine.
The HPI itself announced that its technical team was able to close both vulnerabilities within an hour.
"The HPI assumes that the whistleblower only exploited the security holes for test purposes," it writes.
"According to the current state of knowledge, there has been no misuse of potentially unauthorized retrievable personal data." The HPI outlines the possible consequences of access via the demo account in a blog post.
The incident has been reported
Since at least the "c't" whistleblower had retrieved data, it was a reportable incident in Thuringia, writes the HPI.
"The state data protection officer of Thuringia was informed by the HPI, as were our partners and the potentially affected users in the Thuringian school cloud," explained institute director Christoph Meinel.
"The HPI school cloud and all of its instances are still secure and can be used without restrictions."
A data protection gap in the HPI platform was discovered back in May and closed again after a short time.
The HPI School Cloud was developed by the Hasso Plattner Institute as a non-commercial platform and funded by the Federal Ministry of Education.
More than a million users are currently accessing the platform.
According to the HPI, the number of users has increased almost thirty-fold since March 2020.
The number of schools that use this school cloud is currently over 3700 and has increased tenfold in this period.
Icon: The mirror
mbö / dpa
