My First Swag Pack : A Logical Bug on Edmodo
A very short story about the first swag pack that security researcher Abartan Dhakal ever won, when he found a logical bug at Edmodo.
This is the short story of my first swag pack. Not so long ago, I was focused only on bounty sites, I saw some stories on facebook of my friends who were getting their 3-4th swags and I was like, wow I need to get in on this too. It all started with my plan to test edmodo, as their response time is awesome.
I went through the edmodo site, signed up as a teacher, and started exploring its functionalities. I tried xss in the post page, NO LUCK. Tried idor from setting page, again NO LUCK. I thought ok, lets try some other target.
It was at just 5-7minutes, when I saw an "add a phone" option and I added my number and didn't verify because I wanted to check if I could bypass that. But still NO LUCK.
Then I created another account, tried to add the same number, it said : Its already in use.
Now I just managed to find a simple logical flaw where I could just add your number, not verify, and you can't use that at all when you wanna signup. It allows me to effectively block you from using two factor authentication on Edmodo if I know your phone number.For sure its not the most technically impressive hack you have ever seen, but its mine and I was proud of it.
Chip benson replied to confirm its validity and asked I not duplicate it within 24hrs. He rewarded me with an awesome Swag pack ;) It took 1 week for the swag pack to get to me but it was an awesome feeling seeing it arrive!!
Thanks for reading.
Happy Hunting <3
Main Image Credit : The awesome piece of artwork used to head this article is called 'Red Phone Booth' and it was created by graphic designer Mary-Ann Ramirez.