DATE: 07/11/2022

WHOAMI

My name is Ganesh Kumar AKA iamgk808, a cybersecurity enthusiast and bug hunter. Handles — Twitter, Linkedin

LET THE STORY BEGINS

One Day my father asked me to log in to a government e-learning website to finish some tasks, that all teachers are required to complete within two days, so I log into my father's account & finished the tasks.

Later my father's friend also wants to finish the task so he gave me the e-mail ID and the password I tried to log in with the credential but it showed “enter the correct credential” then I asked him if the credential is correct or not and he told me that he did not create the account someone else has created the account for him with the wrong information.

So I have to find a way to log in to the account !!!

GOAL: Log into the government e-learning website and finish the task

father’s friend given details :
email id - ######@gmail.com
password - ###### (wrong)
mobile no- ######## (wrong)
UDISE Code- #########

Login

With the given email id and password tried to log in, and the UI shows “enter the correct credential”

The burp suite response shows “user not found”, I thought both the email id & password is incorrect, so this attempt is failed

Password reset

So I tried to reset the password but it asks a mobile number, not an email id, then I entered the mobile number and the UI shows “oops something went wrong”.

The burp suite response shows “user not found”, Thus the mobile number is also incorrect, so this attempt also failed

REGISTER

Asks for a UDISE Code (a code given to schools to register an account), entered the code and the UI shows “Another Teacher is already registered in the given School”.

Fortunately, they have given the correct code. The burp suite response shows the full details like email, user id, mobile number, etc...

From this attempt 3, we got useful information like email, mobile number, and user id.

With this mobile number, I tried Attempt -2 (password reset), and the OTP has sent successfully, I asked my father’s friend whether he got the OTP, and he said he did not get the OTP so I asked does the mobile number belongs to you he said it is someone else number and not his number.

so the only way here is to call the unknown number and ask for the OTP but it is not practically possible.

An idea struck my mind, so I log in with my father's valid credentials and check for any functionality or request to change a password.

Luckily I found a password reset request that only requires a valid user id and does not check the old password, From Attempt -3 I already got the user id so I changed the password successfully.

NOTE: If anyone knows what encryption is used to encode the password comment below.

Finally, I logged into the account and finished the task.

Bugs found during this process:

1. IDOR — able to change anyone's password (Critical)
2. IDOR — able to see other teacher's P1 information by simply changing the id value (Critical)
3. IDOR — able to see other student's P1 information by simply changing the id value (Critical)