A serious security breach in an app called Remini left millions of pictures of Israeli children vulnerable to being leaked to the internet.
Remini is an app that enables preschool teachers to stay in touch with parents. It allows them to share everything from pictures and videos through schedules of classroom activities to personal information.
But it turns out to have very poor security, and most of the information shared on it can easily reach the internet. This information includes some six million photos that aren’t pixilated or protected in any way, as well as the personal details of more than 100,000 parents.
The breach has since been fixed. TheMarker waited to publish this report until that happened.
“It all began when a worried mother asked me if Remini is secure,” recalled the security researcher who discovered the breach. The researcher has his own high-tech company, but decided to investigate the issue for free as a favor to the worried mother.
“It took me a quarter of an hour to find a point of entry, and from there, I had full access to the database,” he said. “All the pictures of children are stored in an unsecured Amazon database which is defined as public. Anyone can access it.
“This demonstrates a criminal contempt for privacy,” he added. “There are currently 8.5 million pictures and videos of children there, plus details about 111,000 adults.” The latter include email addresses, Facebook information and telephone numbers.
His method of entry was a standard attack method called SQL injection, in which the hacker types an order into a field that asks for a password or other information.
Remini is recommended by the Education Ministry, whose website describes it as a “secure social network that allows ongoing communication on educational issues — a closed environment for communication between preschool staff members and parents.”
The head of the ministry’s infrastructure department, Sam Kaplan, formally approved the app’s use on February 1, 2017. It’s not clear what tests were run before this approval was given.
In an interview with the Israeli website Geektime in 2015, Raz Wasserstein, one of Remini’s founders, said the app had been approved by the Education Ministry and was already used by 500 preschools. The company was holding discussions about using the app with municipalities nationwide and various organizations that run nursery schools, he added.
Most users apparently use the free version of the app.
After the breach wasdiscovered, information about it was given to the company, the Education Ministry, the National Cyber Directorate and the Justice Ministry’s Privacy Protection Authority, which has overall responsibility for Israeli databases and is authorized to take action in cases of faulty security.
The Remini breach is just the latest in a series of security breaches discovered over the past few months in Israeli databases and online services, ranging from the price comparison and shopping website Zap to the Interior Ministry’s online appointments system for getting biometric documents.
The security researchers who discover these breaches do so for free, to raise awareness of cybersecurity issues among Israeli agencies and organizations. Despite Israel’s view of itself as a cybersecurity power, internet-based services and databases run by both government agencies and the private sector are often poorly secured. The National Cyber Directorate apparently doesn’t conduct its own checks the way private researchers do; rather, it focuses on setting policy and issuing alerts about attacks.
The Education Ministry said that after being informed of the problem with Remini, it immediately asked the company to fix it. “We’re in constant contact with the company, and we won’t let up until we’re certain the application is completely secure and safe to use,” it added.
Over the weekend, after TheMarker contacted the company, the Na’amat women’s organization, which uses Remini at its preschools, issued a statement to parents. “The application was checked and approved by the authorized government agencies,” it said. “Following this incident, Remini has beefed up its security. The company promised that it will continue to provide secure service to the Education Ministry and organizations that run day care centers.”
The Privacy Protection Authority declined to comment on the specific incident, saying merely that it takes action when appropriate and reports on such action only after it is over.
Remini said that “Information security is very important to us. The Remini app was checked and approved by cybersecurity experts approved by the authorized government agencies. Despite this, and in light of developing cyberthreats, we were informed of an attack. As soon as we learned of the attack, we made an enormous effort to solve the problem immediately, and it has indeed been solved.
“We are very grateful to the parties that brought this to our attention. Following this incident, we’ve bolstered our information security system at Remini, so we can continue to guarantee safe, pleasant and easy service to parents and preschools.”