Many daycare centers, after-school care centers, schools and care facilities in German-speaking countries use the “Stay Informed” app (formerly Kita-Info-App and School-Info-App) to communicate digitally with parents or relatives. For example, the facilities provide information and appointments via the app. Parents can report their children sick or confirm that their offspring can take part in the upcoming school trip. The Freiburger Stay Informed GmbH system also offers a chat function.
Advertisement
The company prioritizes the issues of data protection and security for its customers. Among other things, external “regular pen tests” are carried out. And: “A team of IT security experts and data protection officers supports the further development of our software in order to guarantee you a secure and at the same time simple solution.”
However, an anonymous whistleblower pointed out to c't a massive data leak that we were able to verify: The company stored large amounts of files on a freely accessible web server, at least some of which came from users of the Stay Informed app.
Server publicly accessible and unprotected
The server was accessible via the plain text protocol HTTP. He directly provided a “directory listing” of its contents. Directory Listing is a function that dates back to the early days of the Internet and is still built into the Apache web server – and which has repeatedly caused reports like this one. In most cases it should be disabled, because if there are files on a server that are not intended for the public, directory listing will reveal them mercilessly. The actual problem in this specific case is the lack of access protection to the files.
In addition, Stay Informed did not use transport encryption, although communication ran over port 443, which is actually intended for encrypted HTTPS communication. Among the unprotected data were nearly 1,500 CSV files, each containing personal information of a large number of people, particularly minors. In connection with names, dates of birth and addresses, countries of origin, information about vaccinations, denominations, legal guardians, emergency contacts, class teachers and much more were also found.
The server also delivered over 16,000 avatar images, which were apparently used to use the chat function. These also included photos of children and adults. PDF files and photos uploaded by the institutions for parents are also affected by the data leak, as are digital but encrypted signatures from parents.
Over 800,000 users
The Stay Informed app is widely used. More than 11,000 German daycare centers, after-school care centers and schools are connected to the system, the provider reports on its website. This means that there are currently 842,280 users.
We informed Stay Informed GmbH about the data leak on Monday, March 18th. Managing director Jürgen Thiel reacted immediately and had the problem resolved.
According to him, the misconfiguration of the web server, and thus the possibility of public access, existed “as far as we know at the earliest since October 20th, 2021 and at the latest since August 18th, 2023”. He explained that “all customers regarding avatars, PDF attachments and signatures” are affected. “Only messenger users” are affected by the exposed profile pictures. The CSV files, some of which were very extensive, contained data from 15 percent of customers. By customers, however, Thiel does not mean people, but rather institutions and providers docked to the system.
Others bear the responsibility
The company enters into an order processing agreement with these customers, according to which it provides its service as “Software-as-a-Service”. Responsible within the meaning of the GDPR are the over 11,000 institutions that now each have an individual data protection incident in-house, which in many cases they have to report to the responsible state data protection authority and possibly even to the affected parents.
According to its own information, Stay Informed GmbH wants to inform the responsible Baden-Württemberg state data protection authority about the incident. All facilities were informed of the incident on the afternoon of March 20th. Managing Director Thiel sent us the information email that was sent. Accordingly, the log files of the web server were analyzed: “The earliest access still visible to us that exploited the error described above occurred on March 5th, 2024.”
Affected facilities should contact authorities
Stay Informed advises the institutions: “From our point of view, it is necessary that you inform your responsible data protection supervisory authority. As the responsible body, you must carry out the risk assessment yourself and, based on this, decide whether to inform your app users. For this you need “However, whether your facilities have uploaded exported files. We will provide you with this information as quickly as possible.”
The Freiburg company therefore leaves the decision as to whether the incident should be reported to the responsible authority and/or those directly affected to the providers themselves. Initial feedback to us from a consultant who works for some providers suggests: Decisions like this could be made some facilities may be overwhelmed based on the information provided. It is likely that the state data protection authorities will receive thousands of reports from daycare centers, schools and other social institutions in the next few days.
Meanwhile, Stay Informed assures in the infomail: “Our IT security officers have checked our entire infrastructure. This check did not reveal any further gaps of this kind. We have commissioned them to automatically scan our infrastructure on a weekly basis. We assume that such an error will then occur noticed and remedied promptly.”
Many c't investigative research is only possible thanks to anonymous information from whistleblowers.
If you are aware of an issue that the public should know about, you can provide us with information and material. Please use our anonymous and secure mailbox.
https://heise.de/investigativ
(rei)