School chat app Seesaw abused to send ‘inappropriate image’ to parents, teachers

Parents and teachers received a link to an “inappropriate image” this week via Seesaw after miscreants hijacked accounts in a credential stuffing attack against the popular school messaging app.

Seesaw – which claims more than 10 million teachers, students, and parents use its tech every month – shared a letter from its CEO Adrian Graham on Thursday about the incident. The company and its leadership, Graham wrote, “are deeply sorry for the disruption.”

Late Tuesday, attackers used stolen credentials to take over some Seesaw accounts and send a private message to other users with a link to a dirty pic, he said. “Less than 0.5 percent of users were affected,” the chief exec added.

That’s just as well as we understand the image was the infamous goatse pic – don’t look up it, or if you do, don’t blame us. You all know what it is.

The miscreants, we’re told, used credential stuffing: typically this is where you get someone’s username and password leaked or stolen from one site, and use the same combo on other sites, in hope that the victim has reused the username and password pair over and over to keep their life simple. It’s why you should use a unique, complex password per online account, and use a decent password manager to handle it all.

In this case, the attackers probably got a load of logins from another site or app, and then tried using them to log into Seesaw, finding some of them worked.

It appears the pranksters sole purpose for the credential stuffing attack was to send a message with a URL leading to definitely not-safe-for-work content.

Seesaw is, simply put, an all-in-one platform for young kids to use to share their writing, artwork, and other stuff they make these days with their teachers and also parents and guardians. It also provides a messaging feature between school staff and parents; it’s this feature that was abused.

Here’s one alert a school district put out this week after the messages were sent:

“We have no evidence to suggest the attacker performed additional actions or accessed data in Seesaw beyond logging in and sending a message,” Graham said. 

In response, the biz “took action” to block the spam, secured compromised accounts, and temporarily shut down its messaging feature to prevent further distribution, we’re told. 

Seesaw also notified all users whose accounts were compromised and reset passwords. It also restored the messaging function as of Thursday night.

“Before turning messaging back on, we took action to block the attacker’s access and made sure the image was removed and no longer accessible,” according to a security advisory.

The app admins removed the message with the “inappropriate image” link from all accounts, and coordinated with Bit.ly and AWS – presumably because Bit.ly was used to shorten the image URL in the message and Amazon had some role in hosting the picture – to make sure the material was no longer accessible. That said, if the explicit pic is cached on your device, you may need to take a few extra steps to get rid of it.

As such, Seesaw recommends refreshing web browsers, re-launching Seesaw on mobile devices, and updating to the latest version 8.1.2.

The company said it also emailed these instructions to affected users.

In his letter Graham said the security snafu proved to be a teachable moment for the classroom app, and noted a “number of mitigation steps to prevent a similar attack in the future.”

These include improvements to its rate limiting, alerts, content detection and blocking, and login systems. It’s also conducting a forensic investigation and sharing password security best practices with users.

“We’ll be reviewing other steps we can take in the coming days to help users secure their accounts further and will share updates if any new information is discovered,” Graham wrote. ®

READ MORE HERE