How I Hacked My School’s Students Portal to get access to any student’s details?

Introduction

Hello Friends, I am Abhay Vishwakarma and I am currently studing in class 12th. So, in our school we have a online portal for students and parents where we can check our school’s Fee Info, and other all important informations of a Student like Personal Info, Attendence, Messages, etc.

How I got that Bug?

So, One day i just opened the portal to check my fee but I have forgotten my password and then I Used the Forgot Feature to get my password on my email.

After a few seconds, I got the password on my mail and then Iwant to change it because it is a random password which i can’t remember.

So, I went to the Change Password Feature and then I have an Idea in my mind that Let’s Check for Any Bug in this Feature of the site.

Then I Opened my Burpsuite and then i changed my Password and Intercepted that request in My Burpsuite,

In Burp Request There is 3 Parameters: Email, Password, and SID.

SID is the unique id for every student and my SID is 2014 then i manipulated the SID to my Sister’s SID which is 2011 and BOOOOM!!!!!!!!!!!!

The Password of my Sister’s Account is changed!!!!!!

Then I tested on my Friends Account and I was able to Change the password of all students without any authorisation.

And I Was Like ..

Now, I have the access to get the Personal details of any student.

Then I reported this issue to Admin of the School and He told me that their backend team is working to fix that issue and after a few hours it is fixed.

And After this incidence I went to school and I was Recognised as Hecker.

Thanks For your Time,