Remini, a smartphone app that launched in 2013, aims to provide parents and educators with a social network to follow a child’s progress throughout school and their early life, documenting important milestones and letting parents share images with their child’s school.
But Remini exposed these, and the personal information of its users to the internet writ large, thanks to an API that let anyone pull the data without any sort of authentication. The data included email addresses, phone numbers, and the documented moments of the children as well as their profile photos, according to a researcher who discovered the issue.
Remini has since taken the exposed API offline, but only after multiple complaints from a user as well as the researcher. The company confirmed the security issue to Motherboard.
“As a parent, I’m shocked and upset that this was a situation, upset it took so long to come down but grateful it did,” one user of the app told Motherboard in an online chat. “As a programmer, I’m highly amused and disturbed at the incompetence here,” they added. Motherboard granted anonymity to users and the researcher who found the vulnerability to avoid backlash from Remini.
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
The Remini app offers a collection of familiar social media features, such as public posts, private messages, and features more catered specifically to its parent and educator customer base, such as sharing assessments and reports, as well as attendance records. Schools use the app as a way for parents to not miss out on moments in their children’s growth; users can share photos and videos with their school, class, or individual parents, Remini’s website reads.
Remini's website also claims that the app is “in a class of its own when it comes to security. The app and website have undergone extensive hacking checks and tests.”
That doesn’t really sit with having customer data free for anyone to download.
“No auth [authentication] at all,” was required to pull the customer data, the researcher told Motherboard. According to the researcher, user IDs were incremental, meaning it was trivial to scroll through various IDs and download the data linked to each one.
The API was able to retrieve children’s profile photos, the researcher added, but it is not totally clear if other uploaded photos were also exposed.
“A breach this bad should have been an immediate shutdown,” the researcher said. Instead, Remini left the API open for days after being alerted to the issue.
“A researcher approached us about an issue and since then our team has been working to resolve it in a timely manner,” Remini told Motherboard in an email. “Our team turned off the app in order to ensure that the system remains secure while we work to correct the issue. To the best of our knowledge no information has been leaked and we have been in contact with the researcher who brought the problem to our attention. We value all feedback from users and will continue to improve moving forward.”
This isn’t even the first time researchers have managed to pull customer data from Remini’s servers. Albeit in a more offensive manner than an exposed API, in March an Israeli cybersecurity researcher used the ancient SQL-injection style of attack to obtain Remini data. That researcher hauled a similar selection of data as to this more recently exploited vulnerability, as well as photos of the children.
Today, children are constantly online in some form, whether that’s in their toys, games, or even the apps their parents are using to keep tabs on them. Something to bear in mind: all of these, however, can still be exploited and exposed.