Breaking into the Classroom: A Glimpse into Hacking a Leading EdTech Platform

In the world of ethical hacking, sometimes the most secure-looking platforms have hidden vulnerabilities waiting to be discovered. That’s exactly what me and my friend 0d_samii found when we set our sights on a well-known educational technology platform. What started as a challenge to bypass a seemingly secure login system turned into a full-scale investigation into how class codes could be exposed, allowing unauthorized access to sensitive areas of the platform.

It all began when we noticed that the platform required an authorization code, which teachers typically provide to students. Without it, you couldn’t even register or log in. After some digging, we realized these codes were six-digit numbers, and we quickly moved to brute-forcing them. With some clever scripting and tools like Burp Suite and ffuf, we were able to find several valid codes. This was just the beginning.

Once inside, we could access student dashboards, but the real prize was the classroom access. But here’s where things got tricky — class codes were heavily guarded with rate limiting. However, through relentless investigation and some out-of-the-box thinking, we found a way around this limitation. By exploiting the code validation process on a different domain, we uncovered archived URLs that contained exposed class codes. With these in hand, we gained full access to the classes and their contents.

Curious about the full journey? Read the entire story and see how we pieced it all together here: Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform.