Mathletics, an e-learning platform for mathematics that is used by millions of school kids across the English speaking world, has admitted a coding error that meant kids’ login details were transmitted in the clear.
Developers Australia-based 3P Learning said that the security snafu was down to a coding error, which it has already resolved. Nonetheless some parents remain concerned about the privacy and security of the site, such as a failure to support https. 3P Learning said that plans were in hand to upgrade Mathletics so that all communications with the site went over an encrypted link.
El Reg was alerted to concerns about the website by reader Ian, whose daughter used the Mathletics website.
“Upon using the provided credentials for the first time to log into the site it was evident that there is no HTTPS SSL present,” Ian, who works as a software developer, explained. “Looking at the source of the page not one connection (that I could see) is connecting using a secure connection.”
“Furthermore, my daughter’s password is written to the page source as plain text after log in and Wireshark shows that the site passes usernames and passwords in plain text.”
The issue cropped up in January and Ian only approached El Reg after failing to get a substantive response to his queries even after a month of waiting. 3P Learning responded promptly to El Reg’s emails but only admitted a coding error after we forwarded Ian’s Wireshark capture as evidence of the historic problems with their website.
Mathletics owners' response
Mitch Nicholls, chief technology officer at 3P Learning, explained the source of the now resolved issue.
“At that time there was a developer error whereby a feature we use to be able to log into system for testing and monitoring made it into production which meant that a username and password was embedded into a Flash Object (and such in the HTML source of the page), and this could be perceived to be an insecure site,” he said.
Nicholls apologised for the delay in fielding Ian’s query promptly; Ian mentioned to us that his query had been passed from “pillar to post”. “Steps are already being taken to correct the communication error,” Nicholls said.
Ian reckons that the data exposed was not that serious and the chief risk came from the possibility of miscreants combining data from other leaks with information harvested from Mathletics. That doesn’t seem particularly likely, but it’s hard to disagree that sites used by schoolchildren ought to leading the way in security, irrespective of how much damage a potential leak might cause.
"Surely whenever a company is storing/processing children's names, school, user names, passwords and personal data (maths results) then HTTS/SSL is the only option," Ian argues.
Nicholls conceded this point and explained 3P's plans to upgrade Mathletics’ security.
3P has its sites externally tested regularly by security experts, and have never had an issue with such tests even when put under the microscope during our IPO. We haven’t had a data breach to this day, however from my perspective one concern about security from a user/parent is one more than is necessary to review and rectify any issues that are perceived. We are already in the process of moving all traffic to HTTPS as a matter of priority, with our third party providers assisting us with that.
Most client to server based communication in its current form is not clear text, instead using a binary encryption method for transmissions (AMF). I am aware that you can get to our legacy sign-in page using Google cached content as well as the Wayback Machine for internet archives, however we will work with those providers to attempt to remove that content in the future.
Nichols added: “The new HTML based home pages that we have released are indeed served via HTTP, however the API called to authenticate a user is most certainly HTTPS.”
Our tipster Ian responded via email that the “latest deployment which does now seem to be using https now however the connection to community.mathletics.com is not encrypted.” (sic)
Ian is not the only parent and techie to write to us about their concerns with Mathletics website. A second reader, Rupert, got in touch over the weekend to say that his son was obliged to use Mathletics for school homework and yet the site “doesn't have HTTPS even for login” as well as discomfort that its technology is based on Flash (a favourite hacker target) and other matters. El Reg has passed on these points to 3P Learning.
Mathletics (a portmanteau word combining mathematics and athletics) boasts around 3.5 million users in more than 10,000 schools worldwide, making it one of the world’s biggest e-learning platforms.