Victoria's educational apps-for-students let creeps contact kids

World+Dog can contact any student via a shared doc

By Richard Chirgwin


Updated Google and the Victorian Department of Education have set parents, students, teachers, and the Office of the Australian Information Commissioner a poser: at what point does a feature become a vulnerability? Or just too creepy to put in front of kids?

Victoria's teachers and students have adopted a system based on Google Apps for Education, accessed through a portal on the department's EduSTAR system.

As people become more familiar with the setup, however, parents have identified system behaviours which are reasonable for business tools used by adults, but look out-of-place in the hands of primary school students.

The two brought to Vulture South's attention by a concerned parent appear to be normal Google Apps features, but we can understand how they could be worrying to a parent: easy access to around 170,000 EduSTAR profiles of teachers and students via Google Contacts; and the ability for anybody with a Google account – for example, Google Drive – to contact a student as an “outsider” with no connection whatsoever to education.

These are features – but, as one parent told The Register, in the sensitive setting of school education, they're prone to abuse.

In short: first, someone willing to abuse a legitimate EduSTAR login could easily scrape all the profiles; and second, those profiles would let a malicious outsider identify students and abuse other Google features to (as an example) chat with and groom students via shared editing of a Google document.


The concerned parent who contacted The Register arrive at their estimate of 170,000 profiles simply enough: they multiplied the number of pages (nearly 700) in EduSTAR's Google Contacts database with the number of entries per page.

The URL tells all: navigation to the last page of contacts in EduSTAR. Image supplied. Click to embiggen

The profile fields include name, nickname, title and company*, a “file as” field, notes, e-mail, phone, address, birthday, URL, “relationship”, instant messaging contact, and Internet call contact.

E-mail, the parent told us, is disabled for primary children.

Whoever is responsible for the implementation, The Register feels it's arguable that a system-wide open directory is a de facto bad idea and probably privacy breach: nobody should be able to see what school your kids attend.

We asked the Office of the Australian Information Commissioner (OAIC) for an opinion on this, and were told the office is investigating.

Kids contactable by World+Dog

The second, more serious issue the parent pointed out to Vulture South is that any of these profiles can be contacted by other people with Google accounts – contact to or from EduSTAR accounts is not limited to people with EduSTAR logins.

The parent provided us with the following image as an example – an exchange created in a Google Drive shared image between parent (without an EduSTAR account) and their child (with an EduSTAR account). The back-and-forth is possible thanks to EduSTAR and Google's collaborative features.

The parent created this chat with their child in Google Drive. Image supplied

The parent worried that such chats offer opportunities for grooming by outsiders – most easily if someone had scraped and then shared the Google Contacts profiles, since that would let the malicious try to target their approaches.

The parent commented: “Effectively [Google Docs] is a low-grade instant messaging app, shared unsolicited and unflagged to a seven year old child.”

Nor does it seem that such a contact would be flagged to system administrators or parents.

It's also feasible that an outsider who knows how identities are created could try to brute-force their way into getting a student to respond. And not much force would be required because EduSTAR IDs are formulaic.

We included this aspect of the system in our inquiries to the OAIC.

As the parent pointed out, other attack vectors also exist.

It's easy to imagine account IDs becoming part of a phishing campaign, for example: getting students or teachers to open an “official-looking” document that happens to include malicious links.

Even if a malicious outsider had not accessed EduSTAR, an unrelated privacy breach could yield student identities – the education application Mathletics was in 2016 criticised for weak client-side security, and later, because its competition leaderboard seemed to contain enough information to identify individual students (first name, surname initial, and school).

“Two semi-innocuous breaches with personally identifiable information are then combined to create a much greater pedophile risk, where the would-be offender now knows where the child is at school, has a photo, a name, and now can instant message them (via Google Drive)”, the parent told us.

Aren't these features?

Vulture South considered whether or not to publish this story, because after all, accessing Google Contacts or sharing in Drive or Docs are features of G Suite.

Our contact argued that these features might be suitable for adults who log in to G Suite either because their employer uses it or because they want the features for themselves.

But kids can't consent in the same way as adults, so surely an application suite intended for school students must be built to the particular requirements of its intended audience. Students also need and deserve more than generic click-to-accept privacy and safety.

The Register raised the parent's concerns with Victoria's Department of Education. We do not yet have a definitive response from the Department.

We have also asked Google for comment. ®

Updated to add

The Victorian Department of Education has provided the following responses through a spokesperson:

“The Department runs Privacy Impact Assessments on key systems that house any student information and has performed an assessment on this system.

“Google Apps is a collaboration tool which necessitates students being able to find and connect with other students – either at their own school or at another school. As such, the directory function is a known and controlled function of Google Apps.

“Parents are provided privacy information about Google Apps which explain the tool, what information it collects (and why), and are offered an opt-out process.

“Students are supervised when they use the system, and are also educated around digital citizenship and encouraged to raise any concerns.

“The Department runs Privacy Impact Assessments on key systems that house any student information and has performed an assessment on this system.”

In a follow-up email, the Department outlined the following concerns:

The Department is concerned that we wrote that “EduSTAR profiles are exposed. There is no such thing as an EduSTAR profile, the only profile that is exposed is the limited (by the Department) profile that is created in Google Apps for Education.“

The Register’s response: We accept the correction, that what’s exposed is not an “EduSTAR profile”, but a Google Apps for Education profile, and have amended the copy.

Department: “The address book is not exposed to external people and does not contain a student’s location/school. Moreover, students are unable to add additional information to their address book profile which is locked down so that it provides only the essential information required to operate the system.”

The Register’s response: We did not claim that the address book was exposed to external people. However, it could leak to the outside via a malicious insider, as described in the article.

Department: The article implies this is the same Google Apps that is used in business. It is not – it is Google Apps for Education – built specifically for K-12.

The Register's response: Our concern was, and is, that Google Apps for Education inherits too many default features from Google Apps.

Department: Additionally, the Department’s Privacy Impact Assessment reviewed the privacy and data security controls implemented by Google as a pre-requisite to providing system-access. Google comply with, and are independently audited on, the relevant industry standard controls such as ISO270001, 27017, 27018, SOC2/3.

The Register's response: We accept that this took place. If breach opportunities exist, it may also indicate that standards compliance does not cover all use-cases.

* What's “title and company” doing in a contacts database for teachers and students? Could it be that either the Department of Education, Google, or both, have rolled out Google Apps into schools with unmodified defaults?

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

Google exiles 600 apps from Play Store for 'disruptive advertising' amid push to clean up Android souk's image

Purge is the latest in a series of similar store scourings

Google scolded for depriving the poor of privacy as Chinese malware bundled on phones for hard-up Americans

Updated To make matters worse, uninstalling it could cause even more pain

Google reveals new schedule for 'phasing out support for Chrome Apps across all operating systems'

June 2020 is the end for users on Windows, Linux and Mac

Google Maps gets Incognito fig leaf: We'll give you vague peace of mind if you hold off those privacy laws

Location data is likely to remain accessible to web ads giant, network service providers, apps

Google's joins Gang of Four to guard Play Store apps from malware, and maybe not fail so much

The App Defense Alliance posse will scrutinize Android app code before release

Google's second stab at preserving both privacy and ad revenue draws fire

With PIGIN skewered, take a look at this lovely TURTLEDOVE

Google takes sole stand on privacy, rejects new rules for fear of 'authoritarian' review

Lone 'no' vote nixes renewal of W3C's Privacy Interest Group

Brave, Google, Microsoft, Mozilla gather together to talk web privacy... and why we all shouldn't get too much of it

Enigma Browser makers keep coming back to the need to please advertisers

Google tightens the screw on 'less secure apps', will block most access from June 2020

Anything less than the latest version of Outlook to be blocked soon

Ooh, watch out Google. You've got competition. Verizon has a new 'privacy-focused' search engine

Yep, the Verizon that sold subscribers' location data

Tech Resources

The CISO’s Guide to Choosing an Automated Security Questionnaire Platform

In this day and age of cyber risk and data privacy regulations, automated third-party questionnaires are a must. Organizations can no longer simply hire vendors without proof of a strong cyber posture, and a comprehensive questionnaire can demonstrate that vendors’ internal security policies are up to par.

The Total Economic Impact™ Of CrowdStrike Falcon®

Forrester estimates that a composite customer could generate an estimated 316% ROI with payback in less than three months.

Security Orchestration and Automation Playbook

This playbook highlights some of the most common use cases for security orchestration and automation, as well as useful tips on how to get started.

The Data-Driven Case for CI

What does a high performing technology delivery team look like? How do you know if your team is doing well?