This week, parents and teachers received a link to an “inappropriate image” via Seesaw after criminals hijacked accounts in a credential stuffing attack on the popular school messaging app.
Seesaw – which claims more than 10 million teachers, students and parents use its technology every month – shared a letter on Thursday from its CEO Adrian Graham about the incident. Graham wrote that the company and its leadership “deeply apologise for this disruption.”
Later on Tuesday, attackers took over some Seesaw accounts using stolen credentials and sent other users a private message with a link to a dirty image, he said. “Less than 0.5 percent of users are affected,” the CEO added.
It’s like we understand the image is a picture of the infamous goat – don’t look it up, or don’t blame us if you do. You all know what it is.
We’ve been told that credential stuffing is used by crooks: usually this is when you leak or steal someone’s username and password from one site and use the same combination on another site, hoping the victim reuses the username and password pair over and over again Keep their lives simple. That’s why you should use a unique, complex password for every online account, and use a decent password manager to handle it all.
In this case, an attacker might get a lot of login information from another site or application, then try to use them to log into Seesaw, and find that some of them work.
It appears that the only purpose of a credential stuffing attack by a prankster is to send a message with a URL that results in absolutely unsafe work content.
In short, Seesaw is an all-in-one platform for young kids to use to share their creations, artwork, and other things they make these days with their teachers, parents, and guardians. It also provides a messaging feature between school staff and parents; it is this feature that is being abused.
Here’s a warning from one school district this week following the news:
We know that unauthorized messages are being sent across the country to parents with children in pre-K through 2nd grade through the SeeSaw app. Please do not click on any links as they may contain inappropriate content. SeeSaw is working hard to solve this problem. pic.twitter.com/TKSLjgakBy
— Rockwall ISD (@rockwallschools) September 14, 2022
“We have no evidence that the attackers performed additional actions or accessed data in Seesaw beyond logging in and sending messages,” Graham said.
In response, we were told, the company “acted” to block spam, protect compromised accounts, and temporarily shut down its messaging to prevent further distribution.
Seesaw also notified all users whose accounts were compromised and reset their passwords. As of Thursday night, it had also resumed messaging.
“Before reopening messaging, we took steps to block attackers’ access and ensure the images were removed and no longer accessible,” according to the security bulletin.
Application administrators removed messages with “inappropriate image” links from all accounts and coordinated with Bit.ly and AWS – probably because Bit.ly was used to shorten image URLs in messages, while Amazon played some role in hosting the images – ensuring that the material could no longer be accessed. That said, if an explicit image is cached on your device, you may need to take some extra steps to get rid of it.
Therefore, Seesaw recommends refreshing your web browser, restarting Seesaw on your mobile device, and updating to the latest version 8.1.2.
The company said it also emailed the instructions to affected users.
In his letter, Graham said the security issue proved to be a teachable moment for classroom applications, noting “some mitigations to prevent similar attacks in the future.”
These include improvements to its rate limiting, alerting, content detection and blocking, and login system. It is also conducting forensic investigations and sharing password security best practices with users.
“We will review additional steps we can take in the coming days to help users further protect their accounts, and we will share an update if any new information is uncovered,” Graham wrote. ®