The popular university admission platform Leverage EDU leaked almost 240,000 sensitive files, including students’ passports, financial documents, certificates, and exam results.
The Cybernews research team discovered that Leverage EDU leaked extremely sensitive data due to the misconfiguration of their systems. As no authentication was required, anybody could access all of the student’s personal information needed to apply to universities.
Leverage EDU works as a one-stop admission platform for students seeking to study abroad. It claims to have a network of over 650 educational institutions worldwide and 80 million users over the last year.
With branches throughout India, the company has quadrupled its workforce since the pandemic and secured $22 million in funding from international investors. It runs offices in the UK and Australia.
Cybernews reached out to the company, and access to users’ data was secured. The company confirmed to journalists that the problem was solved and that it started an investigation of their systems.
Screenshot of the leaked passport. Image by CybernewsA treasure trove of personal data
On January 31st, the Cybernews research team discovered a misconfigured and publicly accessible cloud storage – an Amazon S3 bucket.
Total number of files stored in the bucket. Image by CybernewsThe bucket contained countless zip folders with almost 240,000 files exposing prospective students’ sensitive data and personally identifiable information (PII).
Among the leaked data were degree certificates, student report cards, exam results, CVs, and filled application forms, along with phone numbers, emails, and home addresses.
Screenshot of a zipped folder stored in the bucket. Image by CybernewsThe researchers noticed numerous personal identification documents, including passport photos belonging to students and their parents, which is a cause for serious concern.
Graduation certificate. Image by CybernewsThe open bucket also exposed users’ financial information, including bank statements, student loan documents, loan co-signers’ identification documents, and payslips.
Screenshot of leaked confirmation email by Leverage EDU. Image by CybernewsA malicious actor could have exploited the leaked personal data to commit identity theft and fraud. A data leak of such magnitude creates an opportunity for criminals to craft spear-phishing attacks and target individuals with greater precision putting their financial and other accounts at risk.
Application form. Image by CybernewsIf you want to know how Leverage EDU should mitigate the risks give a look at the original post at CyberNews:
About the author: Paulina Okunytė, Journalist at CyberNews
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERSVote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Leverage EDU)
The post University admission platform Leverage EDU exposed student passports appeared first on Security Affairs.