In the constantly evolving landscape of cyber security, vigilance and expertise are key. This was recently highlighted when a critical concern was brought to light within the IDAttend system, a widely used third-party attendance application in Queensland state government schools.
The process began with a report from a Queensland high school student, who had discovered several vulnerabilities in the IDAttend system that could put sensitive data at risk. They tried to alert their school, but the gravity of the situation wasn't immediately recognised.
Recognising the potential implications of these vulnerabilities however, prompted the student to reach out to The Missing Link. As an industry leader in cyber security consulting and support, we took notice of the student’s findings and decided to investigate them further.
Our investigations confirmed the presence of the identified vulnerabilities and as a result, we conducted additional research on the software. This effort led to the discovery of 30 zero-day vulnerabilities in total.
Taking a responsible approach to security risks
Understanding the significance of the vulnerabilities, The Missing Link engaged with the vendor, providing detailed explanations and extensive assistance, even volunteering company time to help rectify the issue. A coordinated disclosure was agreed upon, following the traditional practice of allowing at least 90 days for the application to be patched.
This responsible approach minimised the risk to all users involved while working with the affected vendor to keep the public safe. The collaborative effort led to the successful remediation of the vulnerabilities, ensuring the protection of students across the state.
Jack Misiura, Application Security Manager at The Missing Link, expressed the importance of the discovery along with how inspiring the teenager was in helping create a safer cyber-environment for their school.
“We were truly inspired and impressed by their proactive attitude and passion for cyber security,” Misiura said. “As an organisation committed to cyber security, we are proud to have collaborated with the student and leverage our CNA (CVE Numbering Authority) status to drive positive change and protect the data of students across the state.”
Collaborating for positive outcomes
This incident underscores the importance of community vigilance in the cyber security space. It also illustrates how a collaborative approach between individuals, organisations, and vendors can lead to positive outcomes.
"The Missing Link is proud to have had the opportunity to collaborate with this individual to address the vulnerabilities in the IDAttend system,” Misiura said. “Our mission has always been to protect businesses and individuals from cyber threats, and in this case, we were determined to extend that protection to students and their sensitive data.”
The discovery and resolution of the vulnerabilities in the IDAttend system presents a valuable case study in responsible disclosure and collaboration. The effort highlights the role that each of us can play in maintaining cyber security and the importance of industry experts working alongside community members to achieve common goals.
The details of the 30 zero-day vulnerabilities discovered in the IDAttend system have been disclosed and can be found in The Missing Link's security advisories, available at The Missing Link's Security Advisories.
Need help with your cyber security?
Making sure your cyber security is rock-solid is vital in today's threat landscape. That's why The Missing Link is here to help.
As a leading provider of offensive security services, we offer expert Red Teaming, Penetration Testing, and comprehensive cyber security solutions and managed services. Our experienced professionals and cutting-edge techniques can assess your security posture, identify vulnerabilities, and strengthen your defences.
Get in touch with The Missing Link today to learn more about our offensive security services and how we can safeguard your organisation against evolving cyber threats.