How I hacked an exam portal and got access to 10K+ users data including webcams
Hello guys, I am Faique a security researcher and a bug bounty hunter and I welcome you to my write-up on a story of a hack that I did couple of months ago, firstly I thought of not sharing it because it was an easy finding and also I got no bounty from them but then thought of sharing it, as infosec community has taught me so much that it’s now my responsibility to give back to the community. So make sure to follow me & enjoy the write-up
I started hunting on the target because my brother jokingly told me to hack it because he wanted to pass the exam. I cannot disclose the name of the target so I will call it redacted.com.
I did basic recon like gathering subdomains but I didn't found anything. So I thought of focusing on the main domains instead of subdomains.
redacted.com had functionality to sign in, so that students could sign in and give their exams.
I didn't have any credentials that I’ll use to test for bugs. So while browsing on the target I saw the login url https://redacted.com/login,
I changed the end of url from login to register https://redacted.com/register and send the request, and Guess what happened I was redirected to admin register page.
I then registered myself as admin and then logged in. I saw sensitive data like student login information including emails, phone number and webcams images. I didn’t expected webcams images, the images of students was being clicked in every 5 mins.
Not only that, I was also able to see the correct answer of the question and was able to edit it
It was an easy finding but the impact was critical. I reported them and they did fixed it but didn’t acknowledge it.
