---

please dont send hate to cyberschool, i emailed them after, very cool people :)

what is cyberschool?

cyberschool is a company owned by ies, which does a lot of things for school, but this post is about the websites they create for schools.

the actual story

so, this happened a few weeks after my freshman year of school started. being bored since all of my classes are easy (minus geometry, way too fucking difficult), im spending my free time doing whatever

i decided i wanted to look through some of the html and js of my schools website, and im finding interesting apis and functions, but nothing crazy yet.

i find a weird api called "doLoginAs.cfm", but i cant figure out how to use it, so i move on

i continue scrolling, and i find weird function, called "performLoginAs", and i see it takes in one parameter, so out of curiosity, i run "performLoginAs(1)" in console

the page reloads.. and it just fucking worked???

the only image i have of being logged into admin

im in pure shock this worked, who wouldve left a javascript function that lets you log into any account?

i later realized it took a user id as the parameter, and of course, user id 1 is the webmaster. aka, i have pretty much complete control over what messages are displayed to anyone who goes to my schools website

i quickly write another email, this time to the director of technology for my district (im sure they love me so much now)

while i wait, i do some more testing. i know all of the websites that this company made also have a "school.cyberschool.com" link, so i just went to google, typed "site:*.cyberschool.com", and clicked the first link. it worked.

i could go onto any one of hundreds of school websites, and just get admin, and do whatever i wanted.

luckily, the next morning, i got a reply (AND HE SPELT MY NAME WRONG AGAIN.) and it was fixed pretty quickly. the api was also locked off, requiring some authentication now.