I have written before about cloud security and file security. I was doing a simple pentesting job for a school recently and found a service they were using called: Edlio.
I cannot say if Edlio has a security issue, or if what I found was simply based-on clients not following procedures, or if all these schools marked their documents as public.
However, I can say it is generally bad practice for:
- Personal information to be public and openly searchable
- Budget information to be public and openly searchable (aside from summaries and annual reports)
- Versions of documents, that are not the final version, to be public and openly searchable
- Calendars and other data about large group events to be enabled without security
Schools using Edlio, or other services, need to audit their public content. Here is what is accessible on Edlio with a compound search:
I then noticed that the documents seem to be organized by date, and mixed. Meaning, different schools appear to be storing documents in a “common” directory, and then their files are further organized.
Using a search based on the date, I was able to further sort documents from different schools:
Again, there is no evidence this is an issue with the Edlio service. These documents could be available due to schools simply not managing their permission options, or because the schools believed these documents needed to be public.
The takeaway here is that school senior leadership should be aware this information is public, how it can be searched, and there should be some minor threat assessment done to determine if these documents (and posting policies) are creating more risk than reward.
If you want more information on how to do this type of testing and analysis, please email me: firstname.lastname@example.org