A critical security vulnerability in the school admissions platform Ravenna Hub has been patched after exposing the sensitive personal information of countless children. The flaw allowed unauthorized users to bypass privacy protections and access private student profiles with minimal effort.
The Scope of the Data Exposure
Ravenna Hub, a portal managed by Florida-based VenturEd Solutions, facilitates school enrollment applications for over one million students annually. The security lapse permitted any authenticated user to view the personally identifiable information (PII) of other families stored within the system.
Exposed data points included:
- Full names and dates of birth of children
- Residential addresses and photographs
- Details regarding current school enrollment
- Parental contact information, including email addresses and phone numbers
- Information concerning siblings
Technical Failure: The IDOR Vulnerability
The breach stemmed from an insecure direct object reference (IDOR)—a common but dangerous security flaw. Because the platform utilized sequential numbering for student profiles, users could access restricted data simply by modifying the numerical identifier in their web browser’s address bar.
By incrementing these digits, an attacker could iterate through and harvest the records of other users. During verification, it was determined that changing a seven-digit identifier provided access to over 1.63 million student records.
Company Response and Accountability
Upon notification by VenturEd Solutions, the company addressed the vulnerability within a single day. CEO Nick Laird confirmed that the issue was replicated and subsequently patched.
Despite the severity of the incident, VenturEd Solutions remains opaque regarding the impact. Laird declined to confirm whether the company would notify affected families or whether they possess the logging capabilities to determine if the data was exploited by malicious actors prior to the patch. Furthermore, the company refused to disclose details regarding third-party security audits or their internal cybersecurity oversight structure.
A Growing Trend in EdTech Security
This incident adds to a troubling pattern of data exposure within the education technology sector. The failure at Ravenna Hub follows a similar breach in January involving UStrive, an online mentoring platform that also inadvertently compromised the personal data of school-aged users. These recurring lapses highlight persistent challenges in maintaining robust security controls for platforms handling sensitive youth information.