Privilege Escalation: How I Earned $500 by Discovering the Ability to Delete Documents as a Student

I recently stumbled upon a fascinating issue while testing Examosis, an educational platform. This issue allowed low privilege users,students, to delete documents and items they weren’t supposed to delete only administrators should have the privilege to delete content.

Understanding Target (Examosis)

Examosis[virtual name to prevent the identity of private name], it’s an online learning platform widely used in educational institutions, particularly in the healthcare field. Examosis provides students and educators with a comprehensive set of tools and resources to enhance the learning experience.

What’s Privilege Escalation?

Think of privilege like keys to different rooms in a building. Imagine you have a key to your room, and your teacher has a key to the classroom. But one day, you somehow get a key that can open all the rooms, even the ones you’re not supposed to go into. That’s what we call “privilege escalation” in the computer world — it’s like getting extra keys you shouldn’t have.

Discovering the Bug

I was surfing, Examosis I had two accounts open at the same time — one as a regular student and the other as an administrator.

I noticed something interesting. The administrator account had a special feature that allowed it to delete files and content that regular students weren’t supposed to touch.

Curiosity got the best of me I wondered, “What if I could use the student account to delete files too?”

I tried it out, clicked the delete button, captured the request , and deleted the file with the administrator account first.

But here’s where it got exciting. I used that same request with the student account, the one that wasn’t supposed to have this power. And guess what? It worked again!

Steps To Reproduce

• To reproduce this issue…