Post

[CVE REQUESTED] ParentCommApp Insecure Direct Object Reference (IDOR)

Summary

A critical Insecure Direct Object Reference (IDOR) vulnerability was discovered in Ednovation’s ParentCommApp for iOS, allowing authenticated users to retrieve private data of other children by modifying a predictable childId parameter in an API request.

Ednovation, headquartered in Singapore, is a leading provider of preschool education services across Asia, has evolved into a chain of more than 60 pre-schools and enrichment centres across Singapore, China and ASEAN.


Background & Discovery

This issue was discovered while testing the iOS version of ParentCommApp after the vendor had deployed fixes for a previously reported broken authentication implementation. Although the latest app version uses server-generated JWT tokens for request authorization, the backend still relies on unvalidated childId values passed via URL query parameters.

The API continues to trust these user-supplied identifiers without verifying whether the requesting party is authorized to access the corresponding resource, leading to a classic IDOR vulnerability.

Affected Product

  • App: ParentCommApp (iOS)
  • Vendor: Ednovation
  • Platform: Backend API — Child Info Endpoint
  • Version: Affected prior to 2022 remediation

Vulnerability Details

The API endpoint used to fetch student details takes an input parameter childId, which is a predictable integer (e.g., childId=101, 102, etc). While the app includes a valid JWT token in its request headers, the server does not validate whether the requester has permission to access the childId specified.

Any authenticated user can increment the value of childId to access other children’s personal records.

Exploitation

An attacker with a valid login can craft a request like:

1
2
3
4
POST /matp/parentApp/parentAppRequest.php
Authorization: Bearer <valid_token>

action=getChildInfo&childId=1234

Then change the childId to:

1
2
3
4
POST /matp/parentApp/parentAppRequest.php
Authorization: Bearer <valid_token>

action=getChildInfo&childId=1235

The server will return private data for the new child without any authorization check. This can be repeated to enumerate other children’s information.

Impact

  • Unauthorized access to sensitive personal information of children
  • Privacy violations against students and families
  • Regulatory risk (e.g., PDPA, GDPR violations)
  • Enables enumeration attacks across the entire user base

Mitigation

  • Implement proper object-level access control in the backend
  • Validate that the childId belongs to the authenticated user
  • Avoid reliance on predictable numeric identifiers in APIs

Timeline

  • 2022-09: Issue discovered and responsibly reported to vendor
  • 2022-09: Vendor acknowledged and deployed a patch
  • 2025-07: Public disclosure and CVE request initiated
This post is licensed under CC BY 4.0 by the author.