Two weeks after the Menlo administration introduced a new platform called Club Hub, the rollout of the program was halted after senior Alexandre Haddad-Delaveau discovered a serious privacy issue within the Club Hub website programming.
Club Hub, founded by University of Chicago student Ilan Puterman in 2022, is an online platform designed to simplify the process of joining and managing school clubs. Students can sign up for clubs using Club Hub QR codes, the program’s website or the program’s app. The platform aims to streamline club activities for both members and leaders. Additionally, Club Hub offers administrative tools that track club membership, attendance and event history while providing a centralized communication method for students.
In May, Club Hub was first introduced to Assistant Upper School Director Adam Gelb and former Student Activities Coordinator Frances Ferrell through a Menlo alum and other students who were using it at different high schools. In early August, the administration officially decided to implement Club Hub to help students get connected to opportunities on campus. Gelb hopes that the platform will provide a place for students looking for a community on campus to not only connect but also find information all on one platform. “The idea was that it would make it easier for students and get them interested in maybe joining in something they wouldn’t otherwise join,” Gelb said.
At the beginning of the school year, Dean of Student Life and Culture Alexis Bustamante informed all club leaders that the school planned to adopt Club Hub.
Many members of the community reported being excited about the possible benefits of the new app. “It [seemed] like a super convenient and straightforward way to manage all of the different clubs,” co-leader of Fashion Club Amanda Wu said.
One of the students who signed up for the platform was Haddad-Delaveau, the student who discovered the issue. Haddad-Delaveau, who has an interest in coding and software development, quickly noticed that the app’s website wasn’t super polished. After looking through the website’s code, he discovered privacy vulnerabilities. “I pretty quickly found out there was just a complete disregard for the user’s information, the user’s privacy or security when it was built,” Haddad-Delaveau said.
As soon as Haddad-Delaveau discovered the issue, he reached out to Puterman through customer service on Club Hub. Initially, he said, Puterman dismissed the concern — suggesting that the access to user information was not a bug, but a feature. Eventually, however, he acknowledged the issue and reassured Haddad-Delaveau that he would work on fixing it. Haddad-Delaveau also informed Menlo’s administration, who paused the rollout and contacted the tech department. Dean of Student Life and Culture Alexis Bustamante then sent an email to Menlo club leaders pausing the rollout of Club Hub.
“We always want to make sure that we are honoring student voices and making sure that when a student brings up something that is of concern, that we do our due diligence to validate those concerns and ensure that we’re taking some sort of action,” Director of Technology Mike Kulbieda said.
The tech department immediately investigated the issue and reached out to Puterman about the concern as well. Kulbeida said they investigated the inability to sign in through the mobile app and the fact that data — specifically students’ first names, last names and email addresses — were easily accessible. “When our team looked into it, we actually didn’t find any data leaks. […] [Puterman] must have made some changes based on Alexandre reaching out to him in proactive actions,” said Kulbieda. “We did recognize, however, the app’s design and the platform’s design didn’t look like it was as professional as others we’ve seen.”
Additionally, in follow-up conversations with Puterman, the tech department found out that Club Hub is using a third-party app development platform called Bubble.io to outsource all of the development website and app, which could explain these issues. The tech department is currently continuing to communicate with Puterman to address further issues with the app’s development. “We’re constantly in a process of evaluation whether or not, you know, there are other options out there for us for a long-term partnership,” Kulbieda said.
Ultimately, club fair week, which was the week of Sept. 9, passed without the use of Club Hub. However, now that the security issue has been resolved, the Menlo administration and student council plan to continue using Club Hub for the Menlo club system in the future. “We’re going to keep pushing [Club Hub] to get people to sign up and register for their clubs,” Student Body Vice President Melanie Goldberg said.
Bustamante and Goldberg both acknowledge that the pause of Club Hub has slowed the platform’s momentum. However, they hope that the plans to use Club Hub for the house system will help improve student participation.
Student Council Clubs Coordinator Lauren Rukavina also expressed her excitement about the potential of the platform. “We really want this to be a helpful tool for leaders and students alike,” she said.
Despite the temporary pause, Haddad-Delaveau’s actions ensured that the platform could be used safely moving forward. Administrators lauded Haddad-Delaveau for his upstanding conduct that benefitted the whole community. “The real hero in this story is Alexandre,” Kulbieda said.
This story was originally published on The Coat of Arms on October 21, 2024.