[CVE REQUESTED] Public Data Exposure via Broken Auth in AIMath Web App

Posted Jul 27, 2025 Updated Jul 30, 2025

By RTA

2 min read

Summary

A critical security flaw was identified in the AIMath Web App, a math learning platform operated by Ednovation, which exposes student and parent personal data via unauthenticated GET APIs. The flaw exists due to improperly protected endpoints discovered in the client JavaScript bundle and leads to widespread data leakage.

Ednovation, headquartered in Singapore, is a leading provider of preschool education services across Asia, has evolved into a chain of more than 60 pre-schools and enrichment centres across Singapore, China and ASEAN.

Background & Discovery

While analyzing the JavaScript bundle (bundle.js) of the AIMath Web App hosted on a separate subdomain from ParentCommApp, several internal API endpoints were discovered. These endpoints were called by a shared processGet() function and were entirely unauthenticated, accepting direct requests from any unauthenticated source.

This issue was uncovered during passive testing of Ednovation’s broader ecosystem of educational platforms and stems from unprotected API usage in a production-facing web application.

Affected Product

App: AIMath Web App
Vendor: Ednovation
Subdomain: https://aimath.ednoland.com/
Component: Client-side JavaScript (bundle.js) and associated API backend
Version: Unknown (latest production build prior to discovery)

Vulnerability Details

The vulnerability stems from usage of a common JavaScript function, processGet(), that performs HTTP GET requests to backend endpoints without requiring any authentication token, session cookie, or user credential.

Endpoints include:

Fetching all classes
Fetching all students in a class
Fetching student details (including personal data)

Data Leaked Includes:

Student ID, username, display name
Parent full name, mobile number, email address
Student profile photo URL
Encrypted password and even plaintext password
Class group and organization details

Exploitation

The attacker can analyze the JavaScript code served from aimath.ednoland.com to extract internal API paths.
Directly calling these endpoints via GET requests (e.g., using curl or a browser) returns raw JSON data.
No authentication is required, and the server does not verify session or JWT.

Example:

GET https://aimath.ednoland.com/classes/students/2

Returns full student data for class 2, including parent contact information.

Impact

Privacy violation: Exposure of student and guardian PII
Sensitive credential exposure: Passwords appear in both encrypted and plaintext forms
Data enumeration risk: Entire student directory can be scraped unauthenticated
Violation of data protection obligations (e.g., PDPA, GDPR)

Mitigation

All APIs should enforce access control using secure authentication mechanisms (e.g., session tokens, JWT).
Remove plaintext password storage from both frontend and backend systems.
Obfuscate or minimize exposed JavaScript where feasible to avoid exposing internal endpoints.
Conduct a full audit of client-side exposed API calls.

Timeline

2024–07: Related flaws discovered in other Ednovation products (ParentCommApp iOS)
2024-07: This distinct issue discovered in AIMath Web App, responsibly reported to vendor
2022-08: Vendor acknowledged and deployed a patch
2025-07: Public disclosure and CVE request initiated

Disclosure

This post is licensed under CC BY 4.0 by the author.