Year ago, I discovered the CORS and IDOR vulnerability on edmodo.
Read Here: [CORS] + [IDOR]
So, before i look something on Edmodo, I thought, let’s go and visit that Endpoint again.
There you can update your information in two ways,
- Either you enter manually, or
- Simply enter a name or city or state or country or zip code and then the application will locate the address you want.
So i started updating the information manually, [intercepted all requests and got that url].
but this time, the endpoint was not showing the credentials of my account.
I checked all request one by one...
In the response of one request, i got lot's of HATEOAS(Hypermedia as the Engine of Application State) [1] - [2] links.
Out of these links, one link was talking about my credentials : https://api.edmodo.com/schools/My_school_id
So, what next...
i changed My_school_id to SomeoneElse_school_id.
and the credentials contains user Phone Number, lat-long, student/teachers school address, role, about, Credentials of other connected teachers/students (their phone number n all...), etc..
I aware about that, Edmodo is vulnerable to CORS, So in the meantime, I asked them why they do not patch the CORS issue…???
Jan 12, 2019 : Reported Date
Mar 28, 2019 : Issue has been fixed according to their concern
Happy Hunting…!!! 🔱
Next Post 🔰 : Overview & Bypass of Account Takeover and Privilege Escalation