Student Information Leakage via Unauthenticated API in a University System

In this article the author, a self‑described “architect”, shares a security case where a university’s student information system exposed personal data through an unauthenticated API endpoint.

The vulnerability originated from a PDF file that revealed a student’s ID number and ID card number, which the author used to guess the default login password (last six digits of the ID). After logging in, the author discovered that the “daily affairs” module allowed access without proper permission checks.

By intercepting traffic with a proxy, the author identified the /api/apps/feedback endpoint. The request initially lacked required parameters, so the author added pageNum and pageSize to the query string. Incrementing these parameters returned paginated JSON records containing student names, classes, student numbers, email addresses, and ID numbers.

Further testing showed that three‑level URL paths were accessible, while deeper paths were blocked, allowing the extraction of roughly 4,000 student records when pageSize=1000 and pageNum ranged from 1 to 5.

The author concludes with three lessons: thorough information gathering, persistence in testing, and probing exposed APIs for potential data leaks, and encourages responsible disclosure.