On one fine morning of our final semester, we got an email asking us to fill some details for use in the graduation certificate. There was a black-and-white photo of us visible after logging into the portal. (I think we had uploaded it sometime back.) Forced by habit, I hovered over it to see the URL. It seemed hackable. I copied it to open in an incognito window to see if it would still work without authentication / cookies. It did! I changed the ID in the URL to confirm if I could see the photo of someone else as well. It was indeed accessible.
I stood up from my chair in the computer lab and looked around.
(Full disclosure: Okay, I didn’t! I was too damn lazy that way. I added that for dramatic effect! Real-world does not have such things. 😝)
One of my friends was sitting diagonally behind me, so I turned around and told him the images are open. He replied that he had noticed that as well. When will our college start investing in security?
I had a junior who was working hard to introduce the concept of cybersecurity to our administration. We used to syncup regularly on the progress. All his advice was falling on deaf ears. (The situation slowly improved a lot. He hacked - and demoed - a lot of systems in the coming years which led to acknowledgement of the vulnerabilities by them. I also got to know that he led many initiatives there and is now expanding it across the country.)
So back to the task at hand! Facemash was already running through my mind. Let’s think it through! What would I need? I wanted to be sure that it would work before investing time into it. Some people call me lazy, I prefer the term smart.
Everything was in place.
It spread like wildfire! By the next day, everyone in the computer lab was on it. I was on cloud nine, seeing 1000s of new database rows (read votes) every hour. I felt like I completed a sneaky heist!
The next day, someone started abusing it. The API to vote was vulnerable - it took two player IDs and who was voted to be hotter. People started writing scripts to send in numerous votes either in support of themselves or against someone else.
It was clearly visible on the website as well. It had sections showing the highest and lowest ranked players. The numbers were clearly rigged.
I brought the site down for maintenance immediately and deleted the spammy rows. I implemented a solution that passed a code, which was randomly-generated on visiting the homepage, along in the API call when someone clicked on vote. If the vote API was called w/o that code, it redirected to a page saying something along the lines of ‘scripts are not allowed’. I tested this and it looked good. The website was back up!
It again started getting spammed after a couple of days. It had become a cat-and-mouse game. Finally, I disallowed voting for a particular person. The system would then generate battles so you could not vote for / against any person altogether. You could only vote for the battle the system has generated for you. I was pretty satisfied with the solution and implemented it. The site was running again.
Eventually, like every other fad (2048, flappy bird, etc.), people lost interest in it and it died a slow death.
To sum up, learn by doing! Don’t let the fear of failure stop you from trying something out. Going in, I knew that there were a lot of things that could go wrong! For example, I didn’t know how to design a decent page back then. If the code didn’t have the HTML / CSS code included, I’m pretty sure I would have done a crappy job at it. And it probably wouldn’t have taken off! Or I might not have the confidence to put it out in the open, then it would just have been an internal thing within our group. But you’ll never know unless you try! (You miss 100% of the shots you don’t take.) 👊
And yeah, this soundtrack does get you in the hacker mood! So put it on, and do epic shit. 😉
Until We Meet Again…