A critical security flaw in Ravenna Hub - a platform used by thousands of schools for student admissions - exposed children's personal information to anyone with a login. The vulnerability allowed any authenticated user to access the private data of other families, including kids' application details, in what represents a significant breach of one of education's most sensitive data repositories. The company has since patched the bug, but questions remain about how long the exposure lasted and how many families were affected.
Ravenna Hub just became the latest education technology platform to suffer a serious data exposure - and this time, it involved kids. The student admissions platform, which thousands of schools rely on to manage applications, allowed any logged-in user to access personally identifiable information belonging to other users and their children, according to an exclusive TechCrunch investigation.
The bug was a classic broken access control vulnerability. Any parent or administrator who'd created an account could theoretically view another family's application data simply by manipulating the platform's internal identifiers. That means names, ages, school choices, application statuses, and potentially other sensitive details about minors were sitting exposed to anyone who knew where to look.
Ravenna Hub markets itself as an all-in-one solution for independent and private school admissions, letting parents track applications across multiple institutions through a single portal. The platform has become increasingly popular as families navigate the complex process of applying to selective schools, particularly in major metros where competition for spots is fierce.
But that convenience came with a hidden risk. The vulnerability meant that competitors, bad actors, or even curious parents could potentially access information about which schools other families were targeting, what stage their applications had reached, and personal details about the children themselves. For schools dealing with wealthy or high-profile families, the privacy implications are significant.
The company responded quickly once the flaw was disclosed, according to the report. TechCrunch noted that Ravenna Hub patched the vulnerability shortly after being contacted, though the timeline raises questions. How long was this exposure active? Did anyone exploit it before it was fixed? And most critically - were families notified that their children's data may have been accessible?
