Security hole

Security gap in learning platform Mebis!

Security gap in learning platform Mebis!

Learning platforms get in Covid19 times more and more attention and win strongly at users. However, not all of these platforms are secure and protect the users’ data sufficiently. This is also the case with the platform Mebis, which was developed by the Bavarian Ministry of Culture. A group of hackers has now published an article in which several vulnerabilities are mentioned that are contained in the Mebis platform.

Hacker group from Nuremberg discovers security gaps in Mebis

Already on May 20, 2020 the hacker group discovered an Open Redirect security hole in the learning platform Mebis. One member of the hacker group is still a student himself and uses this learning platform in class. With the Open Redirect vulnerability found, it was possible for the attackers to enter a website in the URL to which the user is automatically redirected. Such a vulnerability can be used to redirect victims to a phishing site.

One day later, the hacker group reported further vulnerabilities, including other Open Redirect vulnerabilities, a Client Side Only Validation and an XSS vulnerability. The XSS vulnerability is the most dangerous one, because attackers can execute their own Java-Script code.

Again, this can lead victims to phishing sites, but the more dangerous vulnerability compared to the Open Redirect vulnerability is that the URL that is displayed is unchanged, making it difficult for the user to see that he has landed on a phishing site.

92 days later – First vulnerability closed

After the hacker group discovered the security gaps in May 2020, they immediately reported them to the Bavarian Ministry of Education and Cultural Affairs. They gave the ministry a 90-day deadline to close this gap before the hacker group would write a press release.

After reminding the ministry of the deadline several times without a concrete answer as to when the gaps were to be closed, the 90 days expired on August 19, 2020. On this very day, a post was published on the website of the hacker group which, among other things, details all security gaps.

The first press report appeared on 21.08.2020. Only 1 hour later the XSS gap was closed. The state commissioner informed the hacker group that the XSS gap had been closed, but that the other gaps could not all be fixed yet. However, the other gaps were all closed the following day at the latest.

Mebis vulnerabilities were not exploited

According to the first published press release, there is no evidence that these vulnerabilities have been exploited. Nevertheless, it is good that the hacker group has found and reported these partially critical vulnerabilities, because about 1 million students have an account on this platform.

If you are interested to find vulnerabilities in real systems you can start with Bug Bounty Programs. If you actually find vulnerabilities in a real application, these findings can be rewarded.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.