Offensive Security

Security gap in learning platform Mebis!

Security gap in learning platform Mebis!

Learning platforms get in Covid19 times more and more attention and win strongly at users. However, not all of these platforms are secure and protect the users’ data sufficiently. This is also the case with the platform Mebis, which was developed by the Bavarian Ministry of Culture. A group of hackers has now published an article in which several vulnerabilities are mentioned that are contained in the Mebis platform.

Hacker group from Nuremberg discovers security gaps in Mebis

Already on May 20, 2020 the hacker group discovered an Open Redirect security hole in the learning platform Mebis. One member of the hacker group is still a student himself and uses this learning platform in class. With the Open Redirect vulnerability found, it was possible for the attackers to enter a website in the URL to which the user is automatically redirected. Such a vulnerability can be used to redirect victims to a phishing site.

One day later, the hacker group reported further vulnerabilities, including other Open Redirect vulnerabilities, a Client Side Only Validation and an XSS vulnerability. The XSS vulnerability is the most dangerous one, because attackers can execute their own Java-Script code.

Again, this can lead victims to phishing sites, but the more dangerous vulnerability compared to the Open Redirect vulnerability is that the URL that is displayed is unchanged, making it difficult for the user to see that he has landed on a phishing site.

92 days later – First vulnerability closed

After the hacker group discovered the security gaps in May 2020, they immediately reported them to the Bavarian Ministry of Education and Cultural Affairs. They gave the ministry a 90-day deadline to close this gap before the hacker group would write a press release.

After reminding the ministry of the deadline several times without a concrete answer as to when the gaps were to be closed, the 90 days expired on August 19, 2020. On this very day, a post was published on the website of the hacker group which, among other things, details all security gaps.

The first press report appeared on 21.08.2020. Only 1 hour later the XSS gap was closed. The state commissioner informed the hacker group that the XSS gap had been closed, but that the other gaps could not all be fixed yet. However, the other gaps were all closed the following day at the latest.

Mebis vulnerabilities were not exploited

According to the first published press release, there is no evidence that these vulnerabilities have been exploited. Nevertheless, it is good that the hacker group has found and reported these partially critical vulnerabilities, because about 1 million students have an account on this platform.

If you are interested to find vulnerabilities in real systems you can start with Bug Bounty Programs. If you actually find vulnerabilities in a real application, these findings can be rewarded.

Photo of author

Vincent Reckendrees

Hallo, ich bin Vincent Reckendrees und leite das Team Offensive Services bei der AWARE7 GmbH. In meinem Bachelor und Master Studium habe ich mich auf IT-Sicherheit spezialisiert und BSI zertifizierter IS-Penetrationstester. Meine Leidenschaft gilt Reverse Engineering, Hardware- und Web-Sicherheit. Als Experte für Penetrationstests finde ich Schwachstellen in Systemen und Netzwerken und nutze sie, um realistische Cyberangriffe zu simulieren und Sicherheitsmaßnahmen zu verbessern. Durch Reverse Engineering entdecke ich Fehler und Verbesserungsmöglichkeiten in Software und Hardware. Meine Fähigkeiten in Hardware- und Web-Sicherheit ermöglichen es mir, physische Geräte und Online-Plattformen vor einer Vielzahl von Cyberbedrohungen zu schützen und ihre Integrität und Zuverlässigkeit zu gewährleisten.