Big tile for Traversup? The famous platform, which allows high school students to enroll in higher education, may have been the victim of a data leak. An Internet user has indeed uploaded last Sunday a file relating to about sixty candidate files containing a lot of personal information supposedly extracted from the higher education registration web platform, found ZDNET.fr.
“After accessing one of the administration areas [de Parcoursup.fr], I was able to export part of the user database”, thus affirms a user, “DrOne”, in a message posted on a data leak forum. “At the moment,” the export file “contains only a few users, but there is a lot of data”” he adds.
In fact, we find in this JSON file the identity of candidates, as well as that of their parents, their email and postal addresses, or even their phone numbers. Likewise, a lot of school information is detailed, from the student’s institution to the opinion of the educational community through motivational comments.
“During the summer, I was able to work at a campsite, in catering, service and maintenance”” explains a high school student, for example. A large part of the students affected by the flight attend school in Ille-et-Vilaine. But some high school students from neighboring academies or from abroad are also listed.
So much data that seems to be true: several people affected by the data leak confirmed to ZDNET.fr be high school students who have applied for training in higher education. However, the Ministry of higher education, research and innovation has not confirmed fraudulent access to the Parcoursup platform. Likewise, on Friday, the Paris prosecutor’s office had not registered a complaint about this.
Data that should not be “so easily accessible”
Contacted by ZDNET.fr , the hacker at the origin of the data leak, however, claims to have downloaded the entire database, that is to say several gigabytes of information, he says. Data that should not leak, however. “I don’t know if I’m going to keep it or delete it, I just wanted to show that this data shouldn’t be so easily accessible,” explains “DrOne” thus.
The latter explains that he first identified a Parcoursup administration portal. Then he claims to have entered it with a username-password pair that has already leaked. The name of the hacked portal has not been communicated. A screenshot sent by DrOne to ZDNET.fr shows different tabs – information, accounts, settings, applications, data export, decision support, admissions, registrations, data transfers – suggesting that it is indeed an internal teaching tool.
The hacker would then have managed to export the database by exploiting, he says, a bad configuration in the export request. “A simple locally modified value allowed me to export” beyond the imposed limit, he specifies. This complete download would have taken him two days before being spotted and banned from the site.
A previous leak of student files
If the hacking is confirmed, this would not be the first digital pan around Parcoursup. In May 2020, Mediapart had spotted the leak of 6,500 student files, candidates for a preparatory class at the Janson-de-Sailly high school in Paris. The head of the school had then pleaded a ”technical flaw”, corrected quickly, which did not concern the data stored on the servers of Parcoursup.
A year earlier, a computer science student from Paris had alerted the Ministry of higher education about the existence of a flaw on the site Parcoursup.fr . The latter had noticed that it was possible to create a phishing page on this site, “a gross and indecent flaw”, he had argued.