.png)
4 years ago
578 BOOK THIS SPACE FOR AD
ARTICLE ADAt that day i was reading bug bounty list on bugcrowd.com
https://www.bugcrowd.com/bug-bounty-list/
Then I read that edmodo opened a bug bounty program, but they only gave swag, curiously I opened the url and then it turns out that they not only give swag, but they also give bounty to those who find vulnerabilities on their website.
I read their bug bounty program rules, and then I opened the main page of the edmodo website and tried to find some vulnerabilities there, first I tried to find the Cross-Site Scripting vulnerability but I had no luck, then I also tried to find the Unrestricted File Upload vulnerability and I managed to get hold of it. WOW!
I made a report of the vulnerabilities I had found in their email on August 1, but on August 13 I received an email reply notification that my findings were duplicated because other researchers had found them first.
I feel sad because my findings are duplicates from the previous report, but I did not give up and I tried to read several accounts and I found that these accounts have an account ID that can be seen in the url, then it occurred to me "will I get privacy information from these accounts? " and then I realized that edmodo has an API, then I tried to get account privacy information through the API.
api.edmodo.com/users
And i get an error message that I don’t have access to view the privacy information of the user account ( Forbidden ).
{"status_code":403,"forbidden_fields":null,"errors":[null],"error":"Forbidden"}
After that I added the user ID and BOOM! I get user ID 1 privacy information such as role, user title, time zone, country, first name, last name, username, etc. And i was like WOAH!
I also get a lot of school information Edmodo in their API’s
api.edmodo.com/districts
With pleasure, I immediately reported the vulnerability I found on their website via email
On August 13th I reported this vulnerability I found and the next day I got an email notification that it took them about 2 weeks to fix the vulnerability, 2 weeks later I got an email notification that my findings were said to be "public information" WHAT?! Seriously?!
The user information that you have seen available at api.edmodo.com or on a user's profile is considered public information. If a user has a private profile, this information will not be viewable. Teachers with private profiles and students are not publicly available. The included locations are not the user's home location but rather the location of the school the teacher is associated with.
Then I replied to the email to assure them "are you sure that this information is public information?”
Until now, I have not received a reply email from edmodo, and I hope that I will get a good response from edmodo.
Time Line :
13 August - reported on 2 vulnerabilities that I have found14 August - They will provide more information in the next 2 weeks26 August - No rewards at allEven though I get no reward from them, I still continue what a security researcher should be doing ☺️☺️
Thanks for reading my story, enjoy and keep hunting for bug!
And remember, new feature means new bug.
Video PoC :
Bengali (Bangladesh) · 
English (United States) ·