Online tutoring site UStrive has resolved security issues that exposed users’ personal information, including children.
Exposed data includes full name, email address, phone number, and other information that is not public and provided by UStrive users, which can be accessed by other logged in users.
The nonprofit, formerly known as Strive for College, provides online tutoring to high school and college students through its platform. The organization won’t say whether it will inform users about the security incident.
Last week, a person who asked not to be named alerted TechCrunch to a security flaw in mentoring platform UStrive. By examining network traffic when logging in and navigating a site – such as viewing a user’s profile – anyone can see the flow of a user’s personal information on a browser device.
The person said UStrive relies on a vulnerable Amazon-hosted GraphQL endpoint — a type of query database interface — that allows access to reams of user data stored on UStrive’s servers. Some user records contain more data than others, including information provided by the student, such as gender and date of birth. The person said there were at least 238,000 user records when they were found. UStrive Meanwhile the country in its front page that more than “1.1 million students have chosen to mentor UStrive.”
TechCrunch confirmed the data exposure after creating a new user account on UStrive, and notified company executives via email on Thursday.
John D. McIntyre, an attorney with the Virginia law firm McIntyre Stein, which represents UStrive, said in a letter provided to TechCrunch on Thursday that UStrive “is currently in court with one of its former software engineers,” and that the company is “somewhat limited in its ability to respond.”
TechCrunch told McIntyre that the company at the time there are still security delays exposing private and personal information of children, and asked McIntyre to inform TechCrunch if UStrive plans to fix the data exposure, and if so, when.
McIntyre did not respond to our inquiries.
In response to TechCrunch’s initial outreach, UStrive chief technology officer Dwamian Mcleish told TechCrunch via email on Thursday that the exposure has been “fixed.”
TechCrunch sent Mcleish a follow-up email with other questions about the incident, including: whether the company plans to notify users of security breaches, whether the company has the ability to check whether there is improper or malicious access to user data, and whether the company’s platform has undergone a security audit and, if so, by whom.
UStrive founder Michael J. Carter did not comment for this article.