Ravenna Hub admissions bug exposes children’s personal data via IDOR

A bug in a school admissions platform exposed what modern institutions treat as a renewable resource: children’s personal data.

TechCrunch reports that Ravenna Hub — a widely used student admissions website — fixed a security flaw that allowed any logged-in user to access the personally identifiable information of other users and their children. The platform is operated by Florida-based VentureEd Solutions, which says it serves over a million students and processes hundreds of thousands of applications each year.

The flaw was an insecure direct object reference (IDOR), a depressingly common class of vulnerability. In practice, TechCrunch found that by changing a student profile number in the browser address bar, a user could view another child’s record. Because the identifiers were sequential, the exposure scaled by design: TechCrunch observed a seven-digit ID, implying more than 1.63 million prior records were potentially accessible.

The exposed data was not trivial. TechCrunch says it included children’s names, dates of birth, addresses, photos, and school details. Parents’ email addresses and phone numbers were exposed too, along with information about siblings.

TechCrunch notified VentureEd, and CEO Nick Laird said the company replicated the issue and fixed it the same day. But Laird would not commit to notifying users about the lapse, TechCrunch reports, and declined to say whether the company could determine if anyone had improperly accessed other users’ data. He also would not say whether Ravenna Hub had been assessed by an independent security firm.

This is the predictable end state of “digital transformation” procurement: institutions centralize sensitive workflows into a single SaaS choke point, then act surprised when the resulting data lake behaves like a data leak.

Parents are told the platform is “convenient.” Schools and districts are told it is “efficient.” What it really is, in the typical public-private outsourcing model, is a privatized identity registry with unclear accountability. When the product fails, the vendor can treat disclosure as optional, the customer can plead it wasn’t their system, and the families get to play the role of involuntary beta testers.

The technical details matter because they show how little sophistication is required for mass exposure. This was not a nation-state exploit. It was a URL edit. And yet it surfaced a structural truth: once admissions becomes a centralized web application, every child’s identity becomes part of a single attack surface.

The critique here is not “technology is bad.” It’s that centralization without liability is a business model. If the platform’s incentives don’t include meaningful penalties for sloppy access controls — and if users can’t even count on being notified when their children’s data is exposed — then breaches aren’t incidents. They’re features of the procurement ecosystem.

VentureEd’s fix closes one hole. The larger question remains: why are we building systems where a single misconfigured authorization check can expose millions of children in the first place?