Security

Cyber-crime

School chat app Seesaw abused to send 'inappropriate image' to parents, teachers

This is why we don't reuse passwords, kids


Parents and teachers received a link to an "inappropriate image" this week via Seesaw after miscreants hijacked accounts in a credential stuffing attack against the popular school messaging app.

Seesaw – which claims more than 10 million teachers, students, and parents use its tech every month – shared a letter from its CEO Adrian Graham on Thursday about the incident. The company and its leadership, Graham wrote, "are deeply sorry for the disruption."

Late Tuesday, attackers used stolen credentials to take over some Seesaw accounts and send a private message to other users with a link to a dirty pic, he said. "Less than 0.5 percent of users were affected," the chief exec added.

That's just as well as we understand the image was the infamous goatse pic – don't look up it, or if you do, don't blame us. You all know what it is.

The miscreants, we're told, used credential stuffing: typically this is where you get someone's username and password leaked or stolen from one site, and use the same combo on other sites, in hope that the victim has reused the username and password pair over and over to keep their life simple. It's why you should use a unique, complex password per online account, and use a decent password manager to handle it all.

In this case, the attackers probably got a load of logins from another site or app, and then tried using them to log into Seesaw, finding some of them worked.

It appears the pranksters sole purpose for the credential stuffing attack was to send a message with a URL leading to definitely not-safe-for-work content.

Seesaw is, simply put, an all-in-one platform for young kids to use to share their writing, artwork, and other stuff they make these days with their teachers and also parents and guardians. It also provides a messaging feature between school staff and parents; it's this feature that was abused.

Here's one alert a school district put out this week after the messages were sent:

"We have no evidence to suggest the attacker performed additional actions or accessed data in Seesaw beyond logging in and sending a message," Graham said. 

In response, the biz "took action" to block the spam, secured compromised accounts, and temporarily shut down its messaging feature to prevent further distribution, we're told. 

Seesaw also notified all users whose accounts were compromised and reset passwords. It also restored the messaging function as of Thursday night.

"Before turning messaging back on, we took action to block the attacker's access and made sure the image was removed and no longer accessible," according to a security advisory.

The app admins removed the message with the "inappropriate image" link from all accounts, and coordinated with Bit.ly and AWS – presumably because Bit.ly was used to shorten the image URL in the message and Amazon had some role in hosting the picture – to make sure the material was no longer accessible. That said, if the explicit pic is cached on your device, you may need to take a few extra steps to get rid of it.

As such, Seesaw recommends refreshing web browsers, re-launching Seesaw on mobile devices, and updating to the latest version 8.1.2.

The company said it also emailed these instructions to affected users.

In his letter Graham said the security snafu proved to be a teachable moment for the classroom app, and noted a "number of mitigation steps to prevent a similar attack in the future."

These include improvements to its rate limiting, alerts, content detection and blocking, and login systems. It's also conducting a forensic investigation and sharing password security best practices with users.

"We'll be reviewing other steps we can take in the coming days to help users secure their accounts further and will share updates if any new information is discovered," Graham wrote. ®

Send us news
24 Comments

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

FreeBSD Foundation hands out Beacon gongs for safer software

Multiple CHERI-related projects win money for important research that prizes safety over speed

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

The device that makes it possible is required in all American big rigs, and has poor security

Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon

Unless you want to be the next Change Healthcare, that is

Forget TikTok – Chinese spies want to steal IP by backdooring digital locks

Uncle Sam can use this snooping tool, too, but that's beside the point

Majority of Americans now use ad blockers

We're dreaming of a white list, because we're just like the ones you used to know

'Thousands' of businesses at mercy of miscreants thanks to unpatched Ray AI flaw

Anyscale claims issue is 'long-standing design decision' – as users are raided by intruders

Beijing-backed cyberspies attacked 70+ orgs across 23 countries

Plus potential links to I-Soon, researchers say