How I hacked details of about 2500 students using 5 lines of code
First of all let me clear few things about myself. I am an IT Grad and new to bug-bounty and security world. I started learning about hacking 3 months ago so my knowledge is really shallow compared to other people in the same field.
What I want to talk about in this blog is that many people think “why would anyone hack us!” and end up exposing sensitive information. You can’t just not lock you doors thinking why would anyone would break into my house! If you are having a website with details of other people, it’s your moral (or technical, I should say) responsibility to keep that safe.
Anyways this is my first blog and I hope you will like it. Please bare with me for any rookie mistakes.
[ On a side note, I won’t refer to the college website I am talking about because of obvious reason ]
Let’s Get Started!
So on one fine day, I was chatting with my new friend on Facebook. As a casual question, I asked him/her about the college he/she goes to. When I started learning hacking, this habit of checking random website was emerging in my routine. I just opened a new tab and searched it up and opened up the website.
It was a WordPress site. So I quick checked it with WordPress Scan and everything was fine. There was a image slider which was outdated and was having a vulnerability but it was not that severe. So I tried checking manually. I looked for all the end points and tried injecting stuffs.
FAILED MISERABLY!
I shut my laptop down and got up for water. (this line is necessary to show how serious I was about the issue. It automatically makes you think that I spent hours on the issue. :D ) So I started exploring the website little more. With bit of explorations and with the help of our beloved dorks, I found another portal of the same college and it was having details of all the students who wanted to take admissions there.
What’s next? A login page. I tried to login with default credentials {“Admin” : “Admin”}, in which I failed. So the next obvious way of a noob was SQLi.
The login was successful and I was having the first account. The moment later I got to know that it was of no use, even though it is a huge vulnerability it was of no use because it was programmed just the it should be for students., so it was not having any other functionalities. If you don’t know, whenever you by pass login without entering any credentials (in this case it was SQL Query, so I did not actually passed any arguments there, it gave me access because of the query was “TRUE” ), it will give you the access of default (first) account. Which developers make to test and check if the functionalities are working fine.
I was not able to see any good or juicy information right there. I opened the “Review Application” tab, and it was a blank PDF Structure. I checked the URL. The structure of the URL was self explanatory. It was like this:
site.com/application/application_id.pdf
For default account, the id was 1. So the URL of that PDF was like this:
site.com/application/1.pdf
So, as you already guessed ( I guess that you already guessed what I was about to guess), the next thing I tried was:
site.com/application/2.pdf
BAM!!
It was the application of a student. With all the information.
Now it was really easy to get the information of all the students who had applied for admission. By enumerating random IDs, I knew that the total applications were about 2500.
I created a Python Script, which was able to iterate through the URLs and to request the specific end point.
Conclusion:
There are thousands of schools or college websites, which are not safe and are having sensitive data of student. In this case, there were data of students who are not even in the college, as it was admission portal. Including my own university, which is the biggest in the state (Quantitative Comparison) is careless about handling data. [My next write up will be on that issue.]
The issue draws attention towards using encryption. Why encryption? Because anybody can encrypt! All it takes is a little block of code to encrypt something and almost all developers know about it. We can assume that not all developers have strong concepts of security but they can encrypt.
Using a simple encryption would make me unable to request those applications. How is that possible, you may ask! What I am suggesting is a way like this:
site.com/application/xioxioxioxioxioi.pdf
Rather than storing files directly with the IDs, you can just encrypt the ID and it will be secure. No one can actually guess the key (as long as it’s not “my secret key” ) to decrypt the file name to request the next file. So even if you don’t know how to secure your login panel, you can still save your data or at least you won’t just hand the data in the wild.
Reported the issue and was fixed after 3–4 days. They took down the separate portal and integrated a admission panel in the main website.
