Security gap in learning platform Mebis!

M.Sc. Jan Hörnemann

Security gap in learning platform Mebis!

Learning platforms get in Covid19 times more and more attention and win strongly at users. However, not all of these platforms are secure and protect the users’ data sufficiently. This is also the case with the platform Mebis, which was developed by the Bavarian Ministry of Culture. A group of hackers has now published an article in which several vulnerabilities are mentioned that are contained in the Mebis platform.

Hacker group from Nuremberg discovers security gaps in Mebis

Already on May 20, 2020 the hacker group discovered an Open Redirect security hole in the learning platform Mebis. One member of the hacker group is still a student himself and uses this learning platform in class. With the Open Redirect vulnerability found, it was possible for the attackers to enter a website in the URL to which the user is automatically redirected. Such a vulnerability can be used to redirect victims to a phishing site.

One day later, the hacker group reported further vulnerabilities, including other Open Redirect vulnerabilities, a Client Side Only Validation and an XSS vulnerability. The XSS vulnerability is the most dangerous one, because attackers can execute their own Java-Script code.

Again, this can lead victims to phishing sites, but the more dangerous vulnerability compared to the Open Redirect vulnerability is that the URL that is displayed is unchanged, making it difficult for the user to see that he has landed on a phishing site.

92 days later – First vulnerability closed

After the hacker group discovered the security gaps in May 2020, they immediately reported them to the Bavarian Ministry of Education and Cultural Affairs. They gave the ministry a 90-day deadline to close this gap before the hacker group would write a press release.

After reminding the ministry of the deadline several times without a concrete answer as to when the gaps were to be closed, the 90 days expired on August 19, 2020. On this very day, a post was published on the website of the hacker group which, among other things, details all security gaps.

The first press report appeared on 21.08.2020. Only 1 hour later the XSS gap was closed. The state commissioner informed the hacker group that the XSS gap had been closed, but that the other gaps could not all be fixed yet. However, the other gaps were all closed the following day at the latest.

Mebis vulnerabilities were not exploited

According to the first published press release, there is no evidence that these vulnerabilities have been exploited. Nevertheless, it is good that the hacker group has found and reported these partially critical vulnerabilities, because about 1 million students have an account on this platform.

If you are interested to find vulnerabilities in real systems you can start with Bug Bounty Programs. If you actually find vulnerabilities in a real application, these findings can be rewarded.

Photo of author

M.Sc. Jan Hörnemann

Hello dear reader, my name is Jan Hörnemann. I am a TeleTrust Information Security Professional (T.I.S.P.) and have been dealing with information security topics on an almost daily basis since 2016. CeHv10 was my first hands-on certification in the field. With a Master of Science degree in Internet Security, I have learned about many different aspects and try to share them in live hacking shows as well as on our blog. In addition, I am active as an information security officer and have been qualified by TÜV for this activity (ISB according to ISO 27001)