← back to blog

how i got access to thousands of students' credentials

(2 min read)

so i had just arrived at school and was bored so i decided to boot up Proxyman (a mitm proxy) on my own phone and looked at the requests my apps were already making. nothing happened at first until i stumbled upon my student messenger app, an app by student care for managing your homework, attendance, behavior score.

weird request

i was just clicking thru random pages until i randomly got a request going to something like /api/student/<my_student_id>?filter=...login and if you are reading that and think it's kinda weird then yeah, it probably is.

i saw the request and thought it was a little weird to be grabbing the student's login credentials while just using the app however i saw that there were other filters like my behavior score so i thought not much of it.

a couple minutes later when i got up to class, i exported the request to postman to understand what it was returning and went to /api/student which listed every single student's information from their name, class, phone number and national id number.

at that point i stopped poking around and switched to writing up a report, because this clearly wasn't "debug info".

strange but let's keep going anyways

i was kinda confused why they would give out information that students aren't supposed to have but i thought it may just have been an oversight and i was gonna end my investigation there. until, i remembered about the filter parameter.

it would be really funny if the filter parameter for the login credentials didn't check if the user is the user or not and just randomly showed every single students' credentials.

where the fun really starts

i tried to put in /api/student?filter=login and boom, it showed me login credentials.

i'm not going to paste real data here (obviously) but it looked something like this:

{
    "id": REDACTED,
    "student_class_id": REDACTED,
    "student_no": "REDACTED",
    "student_no_in_classroom": "REDACTED",
    "card_no": "REDACTED",
    "card_id": "REDACTED",
    "name": "REDACTED",
    "first_name": "REDACTED",
    "last_name": "REDACTED",
    "nick_name": null,
    "id_card_no": "REDACTED",
    "birthdate": "REDACTED",
    "pictures": {
        ...
    },
    "profile_pictures": {
        ...
    },
    "school": {
        ...
    },
    "level": {
        ...
    },
    "classroom": {
        ...
    },
    "semester": {
        ...
    },
    "education_year": "2025",
    "mobile_phone": "nah",
    "email": null,
    "login": {
        "username": "REDACTED",
        "password": "REDACTED"
    }
}

holy shit, that's fucking insane. if that endpoint is reachable by regular app users, that's potentially all the students' login credentials in 400 schools and relatively 600,000 students nationwide.

recap

  • in app asks for login credentials from api when not needed
  • /api/student shows all students' information.
  • /api/student?filter=login shows students' login credentials without any checks (at least from what i could see).

timeline

  • june 26 9:02 am: sent initial email to student care with all the information needed to reproduce the issue.
  • june 27 3:14 pm: got in contact with cto at student care, investigation started.
  • july 31 3:20 pm: got an email confirming the issue is resolved.

no bounty was awarded for this because they are a small company and they don't have a large number of users.

additionally, they said that they were gonna go into the standard of ISO/IEC 27001 soon.

this was fun, i think