Overview.
That’s right I managed to break into my college’s portal and got access to various details like phone number, photo, date of birth, the fee paid, category, GPA and much more of every student, not only those who are currently studying but also those who graduated years ago.
Story Time.
Before I spill the beans on how I did it, here’s a small story.
I have a hard time remembering people's names 🙃; it often takes me three meetings to finally remember them (hopefully). And guess what, Back when I started college a year ago I didn’t know anyone, and forgetting names isn’t a good first impression 🙄. How badly I wanted a tool to just look someone’s name up with their ID (I like numbers more, I can remember them. And no I am not a robot). Vola a year and a month later that’s exactly what I and my equally forgetful friend built 😎, but ended up with something more than just a name lookup.
The Exploit.
So our college has a portal that uses our Unique Student Number (USN) and Date of Birth (DOB) as credentials and stores various student details, this opens up a huge opportunity for Brute Force Attacks.
A brute-force attack is a trial-and-error method used by application programs to decode login information and encryption keys to use them to gain unauthorized access to systems.
How It Works.
A List of
USNs to crack are fed into the program.For each USN the year of enrollment (
YOE) is separated, eg: in the USN 1MS21IS000,21 -> 2021is theYOE.Then 18 years is subtracted from
YOEsince most of the students join college at 18 years.The Brute Force Attack is executed for
YOE - 18, if it fails thenYOE - 17is tried, if it fails againYOE - 19, again fails? tryYOE - 16. You get the idea.
The Brute Force Attack is carried out for each
monthas a multi-threaded subroutine.
Multithreading is a programming technique that allows a computer program to do multiple things at the same time. Normally, a program executes a series of instructions one after the other, which can take a lot of time if there are network/communication delays. With multithreading, a program can split its instructions into smaller pieces and run them simultaneously.
The program sends a request for every possible date in the
monthuntil the portal is successfully opened, in which case theDOBis returned, else if all the dates are exhausted, it returnsNone.Vola after the execution of the program you have all the details of the student.
Disclaimer.
It's important to remember that using this method to access confidential information is illegal and unethical. For the same reason, if College finds out doing this, they can take strict action against the student. The purpose of this blog is to demonstrate the power of programming and the ease with which critical information can be accessed if proper security measures aren't taken. I am also writing a letter to the college to fix this as soon as possible.
There you have it, with a quick code you can access all the juicy information of your friends. But please ensure you use this knowledge responsibly and for educational purposes only.
Whoa there, Sherlock, before you put on your detective hat and go on the hot trail of your friends and crush. I remind you that this tool is only accessible on demand. And If stalking was an Olympic sport, you still wouldn't be cool for doing it, regardless of the nagging thought that tells you to 😄.
However, if you just want to impress your friends you can contact me. And use it wisely 🙂.
Closing thoughts.
While the tool currently takes a maximum of 1 minute and 30 seconds on average to crack the DOB, asyncio and aiohttp seems like an alternative to threading and requests modules that can provide even more optimization and speed.
A special thanks and shoutout to Shravan for playing an important role in this project and bringing life into it. He was my inspiration to write this blog.
Website Link: dob-finder-sis.