Not going to lie, Linways is such an amazing academic tracking platform especially for us TKMCE students, compared to the previous EazyCampus in our college.
By now, almost everyone in our college knows the so-called-fight there was between me & Eazycampus website makers. I don’t know why the fight, but it was fun! ? This could be version 2.
#1. Initial Days – TKM adopted Linways AMS system
I was the happiest to see our college adopting to a newer Academic Management System (AMS) called Linways. Not just their name, but their company website looked really good..and that brought me a big smile, India is becoming Digital India. ? (damn eazycampus)
So, It was then I realized that my app was no longer going to be helpful like before. It was going to be dead.
How could I let my app die?
I am a Digital marketing practitioner & this was my time to prove that I sell my app to them, Linways. I fired up my laptop and drafted a quick mail. I had a hope this would work out all fine, that they would finally say a YES.
I still remember that night, talking to a friend who was a big Gary vee fan.
He was very good at inspiring others and making them do the shit they want to without worrying about the outcome.
Linways had to say YES, why not?
- My app already had users of over 3000+ (which was almost our entire college)
- 180 users using the app live every 30 minutes (6 users/minute)
- Attendance & marks retrieved in less than 4 seconds.
- 364 ratings & starred 4.7/5 on Playstore
So, I was like “Yeah, let’s see if we can hit a deal”.
On January 27, I sent a mail.
Does this chapter have an ending? Nope.
It so got sorted out that they had an app already under development (I knew that before, but still my app was far better in all the features), that they did not bother to give me a reply mail. ?♂️
Okay. That was all for it in part one of the story. Nicely ignored my mail. ?
A Cool fact is that their app is still under development as today, December 24th, 2019.
#2. Hacking Linways – The GOAL To Getting Internships.
Let you tell you my hacking journey in short. It was during my school days that I was introduced to a competition called InCTF, A nationwide Capture The Flag (CTF) hacking competition for highschool children.
That was a crazy time.
I remember solving each hacking problems just days before my main 11th class exams. I loved doing it since it taught me many new things that I could have never imagined how hacking could be done in so many different ways.
What kept me going?
There are a lot of opportunities that you can get as a cybersecurity enthusiast. Most of the companies (especially outside India) offer bug bounties which means you can get paid nearly $500-$10,000 depending upon the severity of the bug on their website.
They also provide internships, certificates, and even offer jobs at their companies which is indeed worth it. This thing got into my mind a long time back and that’s where all this began.
More to it, I keep learning more from the internet, and that keeps me going.
So now, The first thing that I like to do whenever I see a new dynamic website is to run security checks on it for like 3 minutes just for fun and to see where it leads to.
Now Main Question, How Did I Hack?
Before that, Let me tell you this all happened in May 2019… 7 months back (..and I told no one ?)
First and foremost, I tried the simplest SQL injection hack. It’s pretty old, but still relevant on sites that developers fail to notice and fix. You can learn more about it here.
Normal URL: https://tkmce.linways.com/student/student.php?menu=home SQL Injected URL: https://tkmce.linways.com/student/student.php?menu=home"OR"1"="1
Oooooh, What did we get here!
They were using the Cloudflare DNS to protect from the cyber-attacks. That means that the SQL injections, the dangerous DDOS attack, cross-site scripting attacks had to be skipped. (Sounds scary right ?)
So, Is it a full stop to our search? NO! ? There are plenty of ways more we can do this!
It was time for Plan B.
I fired up my burp suite and started inspecting the requests that Linways makes to its servers.
- Checked for open-subdirectory and NO, they coded the server pretty well.
- Tried tricking the server by injecting forms with malicious codes & buffers. Most of them showed ‘Blocked message’ or no result.
- Tried injecting EXIF param with codes into pictures before uploading. Turned out they process images in their server and only then stores them.
- Listed all URL’s on the website and checked for vulnerable parameters. That took a long time.
Vulnerable parameters can be checked on both GET & POST Requests. However, it was a bit challenging to do on POST requests.
I tested for the first few requests & that’s where I saw something that could be dangerous. ?? Like seriously dangerous.
Awww! Finally. That was the moment.
To make sure it works, I forwarded a request that deletes the main homepage of the Linways website. ? So 5 things:
- It worked, The first page was deleted off the website. NO one can access the website or even check the attendance, marks until the file was back.
- This attack done here is called the Cross-Site Request Forgery (CSRF) attack.
- The bug on the website allowed me to locate and delete (but not read) any of the files on their server. Literally ANY file.
- Linways AMS is run by many other colleges like Vimala College Thrissur and 65 more colleges. It was possible for me to do this same, on their subdomains too. You can now imagine the HIGH severity of the bug.
- Getting this bug/vulnerability FIXED would have been a pain in the ass. Literally, if Linways get to know this problem, they would take lots of days to find the vulnerable request I had made.
Few of my friends told me (days later) about this ‘File not found’ error they had seen.. that they did not what to do. Hahaa. I had an evil laugh. ?
For what I did just now, the entire website down for 15-20 minutes (until I informed them.)
You might seem all of what I did here was simple & easily done in a few minutes.
Nope. It took me days. These all happened when our normalized semester marks were announced.
I don’t look into cybersecurity things always, because I got other serious work to do. ? This was done just for leaning purposes.
So anyway, I quickly drafted a mail to the official Linways team, hoping to receive a reward of prize money or an internship.
Linways, as an Indian company, I was almost sure that they would not be providing me any prize money for finding this bug.
However, I still had a chance for an internship.
Then they responded with a mail saying they have passed the message to the engineering team and they are providing an immediate fix on the bug.
The website was live 20 minutes after.
Yaay, so I am getting an internship. Wow! ?
I mailed them my resume and waited. Waited for a 1 week, 2 weeks and finally, 1 month was over. On June 24, one guy from Linways, Bangalore called me saying for a telephonic interview. I said, Yes go ON!
I was asked to introduce myself, explain my coding works, my coding languages, and a few questions on data structures and algorithm problems were asked.
Question #1, Write a code to print the second largest number in an array.
My answer would be as simple as this.
s_number = arr.sort()[-2] //simple & easy right?
However, the interviewer told me the answer isn’t efficient. The below one is the right & perfect answer. Use merge sort, done in less than a second.
def mergeSort(arr): if len(arr) >1: mid = len(arr)//2 #Finding the mid of the array L = arr[:mid] # Dividing the array elements R = arr[mid:] # into 2 halves mergeSort(L) mergeSort(R) ....32 more lines (Doing Merge sort)
I like oh come on, simple and precise answers are the best naa. After that interview, I did a quick speed test to actually see the time difference between the two. It was quite noticeable. ?
Question #2, You are given an unsorted array of length N=100 consisting of numbers from 1 to 100. Out of this array, one number is missing. Find the number.
My thoughts: Let’s say, a number 96 is missing from the list of numbers from 1 to 100. To find that in the simplest way, we can loop from 1 to length N and check if that number is present in that list else print out the number. That works but code isn’t optimized.
Interview Wasn’t Good
I told him a few more ways, by which we could possibly solve this. However, he said that isn’t the best solution. ? I gave up then.
Damn optimization. That is not my area, As a coder and a developer from Electronics Engineering background, I know to make things, but optimizing codes as per their finest algorithm in the order of N & N Log(N) was out of my knowledge. ?
The solution to that 2nd question was N(N+1)/2 – the sum of all numbers. Try it yourself. ?
A total of 3 questions and all partially answered. The interview was done. I knew this was not going to be positive.
The results were OUT! and it turned out…
…not selected. ? It’s okay, this was just another company’s rejection. ?
I made another attempt, asking them for the token of appreciation of prize money if they would be willing to offer (as they had offered in their mail). I got no mail response for a month, so I had to go for WhatsApp way.
Overall by now, I would like to let you know a few things.
Yes, most of the Indian companies don’t offer prize money (what we call ‘bug bounty’) for informing security issues. Tell me, Is it better to pay ethical hackers like us a few amounts for letting them know & getting the issue fixed? …or to wait & see the website getting hacked by some black hat Russian hackers?
Not getting the internship was okay, but the bug was so critical that it could have harmed entire domains they own on their server.
If this same bug was introduced on an internationally known website, It will easily fetch a bounty of $300.
Like I said, Even for us ethical hackers, we can’t hack easily on a go. It takes days and months for pointing out that one single security bug.
That brings an end to this story.
Have a great day! ✌️