A security flaw in Ravenna Hub, a student admissions platform used by families to apply to schools, exposed the personal information of children and their parents.
The platform, developed by VentureEd Solutions, serves more than one million students and processes hundreds of thousands of applications each year.
According to reporting by TechCrunch, the bug allowed any logged-in user to access the personally identifiable information (PII) of other users — including children — simply by modifying a number in the website’s address bar.
What data was exposed?
The accessible information included:
- Children’s full names
- Dates of birth
- Home addresses
- Photos
- School details
- Parents’ email addresses and phone numbers
- Information about siblings
Nature of the vulnerability
The flaw was identified as an Insecure Direct Object Reference (IDOR) — a common web security issue that occurs when systems lack proper authorization checks.
In this case:
- Student profile numbers were sequential.
- By changing a seven-digit profile number in the URL, a user could access another student’s profile.
- When TechCrunch created a test account, it revealed that more than 1.63 million records may have been accessible.
Company response
After being alerted by TechCrunch, VentureEd confirmed it was able to replicate the issue and fixed the vulnerability the same day.
However, CEO Nick Laird did not confirm whether:
- Users would be notified.
- The company could determine if unauthorized access occurred.
- A third-party security audit had been conducted.
It remains unclear who oversees cybersecurity at VentureEd and Ravenna Hub.
Broader concern
This incident follows similar data exposure cases involving children’s information. In January, mentoring platform UStrive reportedly exposed user data, many of whom were students.
