← back to blog

how i got access to thousands of students' credentials

(2 min read)

so i had just arrived at school and was bored so i decided to boot up Proxyman which is a mitm proxy and went on random apps on my phone hoping for random things to happen and inspected the their requests. nothing happened at first until i stumbled upon my student messenger app, an app by student care for managing your homework, attendance, behavior score.

weird request

i was just clicking thru random pages until i randomly got a request going to /api/student/1234567?filter=...login and if you are reading that and think it's kinda weird then yeah, it probably is.

i saw the request and thought it was a little weird to be grabbing the student's login credentials while just using the app however i saw that there were other filters like my behavior score so i thought not much of it.

a couple minutes later when i got up to class, i exported everything to postman and messed around a bit and went to /api/student which listed every single student's information from their name, class, phone number and national id number.

strange but let's keep going anyways

i was kinda confused why they would give out information that students aren't supposed to have but i thought it may just have been an oversight and i was gonna end my investigation there. until, i remembered about the filter parameter.

it would be really funny if the filter parameter for the login credentials didn't check if the user is the user or not and just randomly showed every single students' credentials.

where the fun really starts

i tried to put in /api/student?filter=login and boom, it showed me every single students' login credentials.

it looked something like this:

{
    "id": REDACTED,
    "student_class_id": REDACTED,
    "student_no": "REDACTED",
    "student_no_in_classroom": "REDACTED",
    "card_no": "REDACTED",
    "card_id": "REDACTED",
    "name": "REDACTED",
    "first_name": "REDACTED",
    "last_name": "REDACTED",
    "nick_name": null,
    "id_card_no": "REDACTED",
    "birthdate": "REDACTED",
    "pictures": {
        ...
    },
    "profile_pictures": {
        ...
    },
    "school": {
        ...
    },
    "level": {
        ...
    },
    "classroom": {
        ...
    },
    "semester": {
        ...
    },
    "education_year": "2025",
    "mobile_phone": "nah",
    "email": null,
    "login": {
        "username": "REDACTED",
        "password": "REDACTED"
    }
}

holy shit, that's fucking insane. all the students' login credentials in 400 schools and relatively 600,000 students nationwide.

recap

  • in app asks for login credentials from api when not needed
  • /api/student shows all students' information.
  • /api/student?filter=login shows all students' login credentials without any checks.

timeline

  • june 26 9:02 am: sent initial email to student care with all the information needed to reproduce the issue.
  • june 27 3:14 pm: got in contact with cto at student care, investigation started.
  • july 31 3:20 pm: got an email confirming the issue is resolved.

while no bounty was awarded for this because they are a small company and they don't have a large number of users.

additionally, they said that they were gonna go into the standard of ISO/IEC 27001 soon.

this was fun, i think