How I hacked an exam portal and got access to 10K+ users data including webcams
2022-9-22 14:42:28 Author: infosecwriteups.com(查看原文) 阅读量:19 收藏

Hello guys, I am Faique a security researcher and a bug bounty hunter and I welcome you to my write-up on a story of a hack that I did couple of months ago, firstly I thought of not sharing it because it was an easy finding and also I got no bounty from them but then thought of sharing it, as infosec community has taught me so much that it’s now my responsibility to give back to the community. So make sure to follow me & enjoy the write-up

I started hunting on the target because my brother jokingly told me to hack it because he wanted to pass the exam. I cannot disclose the name of the target so I will call it redacted.com.

I did basic recon like gathering subdomains but I didn't found anything. So I thought of focusing on the main domains instead of subdomains.

redacted.com had functionality to sign in, so that students could sign in and give their exams.

I didn't have any credentials that I’ll use to test for bugs. So while browsing on the target I saw the login url https://redacted.com/login,

I changed the end of url from login to register https://redacted.com/register and send the request, and Guess what happened I was redirected to admin register page.

I then registered myself as admin and then logged in. I saw sensitive data like student login information including emails, phone number and webcams images. I didn’t expected webcams images, the images of students was being clicked in every 5 mins.

Not only that, I was also able to see the correct answer of the question and was able to edit it

It was an easy finding but the impact was critical. I reported them and did fixed it but didn’t acknowledge the finding.

Thank you for reading till here I hope you enjoyed and learned something new. If you liked make sure to give a clap and also check my previous write-ups. Feel free to Dm me if you have any query

Follow me on

Twitter: https://twitter.com/imfaiqu3

Instagram: https://www.instagram.com/__faique/

LinkedIn: https://www.linkedin.com/in/faiqu3/

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!


文章来源: https://infosecwriteups.com/how-i-hacked-exam-portal-and-got-access-to-10k-users-data-including-webcams-ec2262b43df7?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh