Edu-Hack: How a Simple Request Compromised Entire Classrooms Users

Introduction:

During my recent penetration testing engagement for a company, In the educational application, teachers can create and share classrooms with students. However, a significant error occurs when the application makes a standard request to fetch classroom information. This mistake results in the inadvertent inclusion of all user tokens within the classroom in the response. This flaw allows an attacker to effortlessly take control of all users within the classroom and subsequently seize control of the entire classroom without detection.

Scenario:

The target was a educational application, teachers can create and share classrooms with students. a significant error occurs when the application makes a standard request to fetch classroom information. This mistake results in the inadvertent inclusion of all user tokens within the classroom in the response. like

email,salt_password,password_digest,api_key,oauth_token,password_reset_token

The Exploitation Phase:

The tokens leaked through a GET request targeting the retrieval of classroom data. The specific request used was:

GET /v1/**/**/search?classroom_code={code}

This request aimed to obtain information about classrooms, but it inadvertently led to the exposure and leakage of tokens associated with the classroom users.

By exploiting the publicly accessible classroom Code, the attacker can effortlessly initiate a request. Subsequently, they can obtain any user’s email, initiate a password reset, and resend the request. The leaked reset password token allows the attacker to successfully take over the targeted user’s account.

Those finding was while engagement with a client on my work with BugSwagger LLC

Please don’t hesitate to reach out to me anytime on X, also known as Twitter.

I trust that this write-up proves helpful to you in any way.