Hacking into any students aviral account.

Hi everyone, I am Rahul from IIIT-Allahabad . Hope you are doing good in this pandemic. Recently I have started exploring the fields of cybersecurity/web-application hacking. This is my first blog and here i will be demonstrating how i was able to gain unauthorized access to all of IIIT-Allahbad students aviral account and can see all their data. (In simple terms i was able to hack into anyone’s account without knowing their password).

Lets dive into the process . Below is the login portal where it asks user to enter user id and password.

I have observed that usernames of all the students of 2018 batch are in the pattern of iit2018xxx. (similar pattern is used for every batch).

So the usernames will look something like : iit2018001, iit2018002, iit2018003, etc .. and passwords are unique for every student.

Now i have entered my username and password and checked the response of this request using burpsuite. It looks something like this :

If you observe the response from the server clearly , it is sending JWT (JSON WEB TOKEN).

WHAT IS A JSON WEB TOKEN?

A JSON web token(JWT) is JSON Object which is used to securely transfer information over the web(between two parties). It can be used for an authentication system and can also be used for information exchange. The token is mainly composed of header, payload, signature. These three parts are separated by dots(.)

After decoding the jwt token i have found out that its sending userid.

Here in payload data you can see my username as iit2018192. Now i have changed the payload data username to my friends username and got new jwt token and i replaced it with my token in the response and forwarded the response to the browser to check if i am able to login to my friends account or not. But as soon as i replaced and forwarded the response, browser showed his username only but was not able to login completly , but i am sure that there is some misconfiguration here. So i tried the process from step 1 again to check the response. This time, before forwarding the response to browser i have changed the username to other student username in the browser itself. Check in pic below :

Here i have changed the username to iit2018106 and forwaded the response to the browser and as expected the server was vulnerable to lack of validation and response manipulation. I was able to login to his account. Check the screenshot below where i was able to see all his details and logged into his account.

Successfully acheived the mission . Hacked into others account.

Note : I have reported it to college officials on 08–10–2020 and within hours it was fixed by senior programmer.

Hope you enjoyed my blog.

Bugcrowd profile : https://bugcrowd.com/Agathamudi_Rahul_Naidu

Linkedln profile : www.linkedin.com/in/AgathamudiRahulNaidu