Edmodo platform is one of the largest and most active learning community platforms in the world with over 100 millions+ registered users.
The Story begins here...
After Reporting CORS Exploitation, i stopped my hunting on the Edmodo platform.
After about a month and a half, when i was scrolling up and down my info.txt file on my laptop. I clicked on the link that I saved:
The link opened and my account details were displayed.
This means that the access_token was still alive.
So, before i do anything, i changed my user_id to another user_id.
and BOOM..!!
Now, i able to see private information of another/all users of Edmodo Account. (like: email address, home address, city, zip code, state, country, latitude, longitude, created date, role, about, etc.. etc…)
After performing IDOR, I came across this JWT token,
Edmodo API uses this JWT for authentication purposes.
JWT token consist of three parts separated by dots :
[Header.Payload.Signature] = access_token=eyJ0eXabcdefghijklmnopqrstuvwxyz(.)eyJpYXabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz(.)70VwMabcdefghijklmnopqrstuvwxyz
After decoding this, Payload part claims the expiration time is 24h. "expires_in": 86400
But, since i used this token after a month and a half, it was still alive.
Impact : So if this token is compromised from users account, attackers will able to see their personal data for a long time (even after IDOR issue is resolved)
Sep 24, 2017 : Reported as additional info
Oct 12, 2017 : Bug Patched [Access Token validation - i.e. After 24 hours, JWT will not be accepted for processing]
Happy Hunting…!!! 🔱
Next Post 🔰 : Edmodo Students-Teachers Private Information Disclosure - IDOR & CORS Exploitation