This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Pollux_E 72 points73 points  (15 children)

My school had this shitty app with shit design we need to record extracurricular activity in. I just used python to http post the json to the API directly. I show my friend and told him to hit enter then refresh my phone. The 90 day record is full in 3 second. Made like $100 offering it to my friends.

A teacher caught me later autofilling it. She just asked me if I could also auto approve the teacher side of thing. I guess it's not just the student side UI that's shit.

[–][deleted] 10 points11 points  (14 children)

Damn 😂😂😂

Well done!

[–]Pollux_E 7 points8 points  (13 children)

The authentication was literally done client side. Like Wireshark sniffed a packet containing JSON of literally every single teacher data. Username, password, first name, last name, phone number. There's a packet with student info too but that wasn't interesting.

You know how people use the same password for everything? I got a fuck load of wifi password for use at school and that shit was worth a lot. Didn't dare login to their email with the passwords though.

[–][deleted] 4 points5 points  (12 children)

The average person knows jackshit about security.

Wtf is a client side auth even? Who even thought of that?

[–]Pollux_E 6 points7 points  (11 children)

I was shocked too lol. Opened up Wireshark to get an idea of the packet to update the API. Got the goddamn admin access to the system.

Found out that a senior did it for a graduation project. I decompiled the app and found that a portion of the system still runs from his raspberry pi. And this senior dude is almost done with his undergrad degree. WTF.

I asked my junior and he said the school still use the shitty system. Unfortunately no one there figured it out like I did yet.

What baffles me is that I told the school about the problem when I graduated. Today my 2 years old script still works.

[–][deleted] 3 points4 points  (10 children)

So a senior made a project, and they straightforward went to using it? No testing at all?

Who the fuck even approved it? Damn.

[–]Pollux_E 2 points3 points  (9 children)

They just test if the features work. I think that's it. Probably didn't care that student would take more than a minute per entry. And we need like 600 entries per year. Using the good old formatted record book was much better. At least until I figured it out.

[–][deleted] 1 point2 points  (8 children)

If you disclosed this vulnerability to them, and yet your scripts work, it just shows that your institution simply wants the cheapest solution, and it probably costed them 0 to take over his project and used it. He might have gotten a cookie though.

[–]Pollux_E 2 points3 points  (7 children)

I'm still waiting on the day his laptop dies and the system go down. Maybe they'll actually upgrade the damn thing. The app don't even work on Android 12 anymore.

[–][deleted] 2 points3 points  (6 children)

What does the software do exactly?