Security vulnerabilities

Attached to Project: Security vulnerabilities
Opened by freetb - 15.02.2024
Last edited by nferrari - 04.03.2024

Description

An unvalidated input vulnerability has been identified in the class joining process of the platform. By fuzzing the teacher ID parameter in the class_join URL, an attacker can potentially join any class without proper authorization. This issue poses a significant security risk and may lead to unauthorized access to sensitive information and class benefits.

Impact

The potential impact includes:

a) Unauthorized access to sensitive class information
b) Compromised data privacy for both students and instructors.

Proof-of-Concept

To reproduce the vulnerability, follow these steps:

1) First, we log in a test account. Next, we replay this invite URL I got from an actual tutor invite, but now we manipulate the teacher ID value to grant us unvalidated access to certain classes.
This is the invite URL:

https://admin.alwaysdata.com/academic/attach/?teacher=<TEACHER_ID>

2) Fuzz different values for the ID parameter to find classes that can be accessed without proper authorization. A bit flipper attack would provide the best results.

3) Upon finding a class with a vulnerable ID, join the class by providing the manipulated URL to the unauthorized user.

Mitigation

1) Implement proper input validation and sanitization for the class ID parameter to ensure that only authorized users can join classes. This can be done by assigning a temporary validation token per class_join request.

2) In the absence of token validation, the teacher_id could be encrypted to a longer, more obfuscated value to reduce predictability.

POC || Bit Flipper Video: https://file.io/qy91eQRASzyo