Enlarge image
Learnus internal passwords and keys could be read out
Photo:
Learnu
What the Learnu app promised all students can be called the commercialization of copying: documents such as homework or school presentations could be shared with them, and ideally users could even earn money with it.
Because others could pay just under five euros a month for a premium account in order to be able to help themselves to the homework provided.
However, the app had serious security flaws, as an analysis by the hacker collective Zerforschung, which is available to SPIEGEL, suggests.
Accordingly, it was possible to read out all user data with simple means: the information publicly displayed in profiles as well as the e-mail address, the school and the place of residence of around 400,000 people.
It was also possible to control other people's accounts.
The reason for this was that the application used a special mode that should only be activated during software development (more precisely: on the server side, it used the so-called debug mode of the Laravel web framework).
IT security expert Lilith Wittmann from Zerforschung also managed to read various internal passwords and keys from the app's online system.
The security gaps described were confirmed by Learnu on request.
However, according to their own statements, the operators of Learnu had already planned to cease operation of the app before this incident.
more on the subject
Meta-study of the TU Munich: Those who check homework can possibly harm their childBy Miriam Olbrisch
The app is no longer functional.
Although the website still exists and Learnu can be installed via the Google Playstore, it is no longer possible to register a user account.
"Taking the app offline was the fastest, most efficient and most secure way of not exposing users' data to any further risk and preventing possible access by third parties," said the two founders of the company on request.
"Incidentally, for private reasons, we had already decided beforehand to bring the whole project that we started as school students to an end soon."
According to the founders of Learnu, they had the app created by an external development team: “It was documented that typical weak points had supposedly been closed and that the app should be secure after a statement and a few months of work by the development team.
As founders, we have relied on this know-how from the external IT consultant. "
The users of the app have not yet been informed of the incidents.
The European General Data Protection Regulation (GDPR) stipulates that in some cases the data subject must be informed in the event of a violation of data protection rights.
But the responsible data protection authority in North Rhine-Westphalia sees no need for this in this case - and justifies this with the trustworthiness of the discoverers of these security gaps.
more on the subject
Attacks on digital learning platforms: "If I am locked out as a teacher, it looks bad" An interview by Judith Horchert
»The state commissioner (for data protection, editor's note) informed Learnu on request that, in their opinion, access by the› Zerforschung ‹group does not pose a high risk to the rights and freedoms of the persons concerned and therefore no obligation to notify this access Article 34 of the General Data Protection Regulation exists, "said the authority. »This information was given against the background that the research group is known to be trustworthy here and is pursuing the goal of uncovering security gaps in order to improve the protection of the data. There is no intention of abuse here. "
"Although we are pleased about the trust that the data protection authority has placed in us, we believe that this should not be a reason to release software manufacturers from their notification obligation under the General Data Protection Regulation," commented Lilith Wittmann from Zerforschung on this decision.
Research is an association of people who regularly discover and report on security vulnerabilities.
Most recently, the group systematically analyzed school and learning apps.
She had previously documented data leaks at Corona test centers several times.
Lilith Wittmann also gained some notoriety because she found serious security flaws in an election campaign app of the CDU.