From an SMS Code Flaw to a Massive School Admin Weak‑Password Vulnerability

The author explains the "broken‑window effect" in security: a minor oversight can collapse an entire defense. In a certain mini‑program, entering any phone number returns the associated school name, confirming the user without needing to brute‑force, and the login verification consists of a 4‑digit code with no rate‑limit protection.

Exploiting this, the tester entered arbitrary numbers such as 00000000000, 13888888888, or 18888888888, which correspond to test accounts often used by administrators. The app returned the school name, allowing the attacker to request a verification code. Because the 4‑digit code lacks error‑count limits, the attacker could repeatedly guess until a correct code was found, thereby gaining backend access without triggering bans.

Once inside the management console, the author discovered that every school administrator’s account used extremely weak passwords. A search for a Shanghai admin revealed the password was simply qwerty, the first six letters on a keyboard. Out of ten schools tested, only one or two had changed the default password; the rest retained the trivial password, making privileged accounts trivially accessible.

The compromised admin accounts expose sensitive data such as student IDs, grades, and phone numbers. The root causes are twofold: the front‑door (the 4‑digit SMS code) is insufficiently protected, and the back‑door (admin passwords) is left unguarded because administrators prefer easy‑to‑remember defaults and lack security awareness.

Overall, the article demonstrates how a simple SMS verification flaw can lead to a large‑scale weak‑password vulnerability across educational institutions.