How I hacked a live website and It hasn't been fixed yet!

Recently, I found some bugs on a friend’s quiz website. I could hack the functionality and can potentially crash pages of people, sharing their quiz to me. Though the website didn’t have sensitive information it’s not something harmful, but I along the way I discovered a peculiar bug, rather a confusion with python.

Who I am

I am a student. I am 16 years old and know web dev. I also research about security sometimes as hacking into stuff and CTFs is also my hobby.

Some Background

The website is called Matequiz. A user can make a quiz about themselves and can share with his/her friends to know how much they scored on their quiz. (there is a scoreboard for that). I DID mail Matequiz about the bug. Its been weeks but they didn't reply.

What I did

As you can see, I just made a quiz like normal folks. But after submitting the quiz, I captured the request object and took a look at it through a proxy.

Made a simple quiz

The first mistake I noticed

As you can see, while submitting the quiz, the website just submits the options to the server. And the mistake was the input can be ANYTHING. So I tried to make a mathematically impossible quiz, by putting all ZEROS, which will result in no correct answers. (This can be corrected with simple server validation)

The selected option is RED, hence its wrong.

So if I share this quiz with someone, they won't be able to secure any points, which is fun.

I played my own Quiz :P

Now, I intercepted the network while submitting an answer

And noticed the results were sent directly so I can modify it. FUN STUFF…

I can win at any quiz now

Now some real Hacking starts.

I sent “99” at the results but the scoreboard shows 9. Hmmm, must be some complicated logic. Then I tried sending “15”. The scoreboard says 5. Well as I am not so smart, I took some time to figure out that It was taking the last string. Then I sent a 💩 emoji, as it is out of the ASCII Unicode or something.

I see the scoreboard again…

IT CRASHED

HELL YEAH now I can crash the scoreboard of anyone with a 💩

Wait but how did that happen 😅

After some scanning, I got to know that site is written in Python version 2. I decided to replicate what error could have happened. So I wrote a program in python which shows the last letter, or character of a word.

EVERYTHING WORKED FINE, no errors

I did this in python 3. And everything was okay, with no errors. I decided to do the same with python2 this time —

YEAH an error

With the older version of python2, it shows an error. I am bad at python so I don't know much working on it, but this was really cool to research on. The same must have happened in the server and the scoreboard crashed.

Matequiz, if you just read this, its time to fix some serious stuff.

Thanks for reading, I hope you enjoyed this. I am happy that you could make it to this point.

Have a nice day.