Chaining small design issues to reveal student emails
Note: My motive to write this post is purely educational. You are on your own if you use it wrongfully.
So, lets begin. In this post I want to show how a simple design issue can be used by an attacker to reveal a lot of fruitful data.
Recently, one of my friend sent me a link of GTU website which is 100points.gtu.ac.in The purpose of the website is for a system which was implemented by GTU for students taking admission from 2015 should must collect 100 points every year by taking part in co-curricular activities.
So , I started quickly taking a look at the website and found a student login page than I found this link.
I randomly entered an enrollment number in the box and hit submit and than I was surprised seeing what happen next this type of message appeared.
The Reset link was sent but it also showed me to which email it sent that. I was thinking that the student who holds that account must have known his/her email that what is the need to show it here.This is a simple issue but now lets see how this goes big.
Upon seeing this type of message I quickly wrote a script to make each and every combination of enrollment number who has taken admission in year 2015 and 2016. This script now requests password reset for each student and there is not rate set to stop this bruteforce thats another issue.
Here, note that I not just only getting emails of students but at the same time they are getting a Password reset link on there emails ( personal ones ).
By, using institute codes of all 137 GTU affilated colleges and all subject codes this script can get each and every students email who has taken admission in year 2015 and 2016.
And that must not happen, I think.
My Views
Emails may seem not a big deal but actually they are its your address on the internet and anyone can reach to your social media accounts using emails. By this emails you can easily be target of guerilla advertising (spam).
According to me this issue can be easily fixed by just doing two minor changes.
- Instead of Reset link sent to xyz@email.com use only Reset link sent to your registered email.
- To stop bruteforcing of requests just implement a captcha in that page.
All in conclusion, I want to say that Software Engineering is important subject. Padh lena ache se……..
Well, That was a joke. all subjects are equally important. Have a good time.
Thanks
