University of Toronto Hackathon: Accidental Vulnerability Discovery
2025-03-20
A University of Toronto student, while registering for the GenAI Genesis 2025 hackathon, stumbled upon a vulnerability. After resetting his password (his password manager failed to save it), he noticed the reset link pointed to a Firebase app. Curiosity piqued, he tried some common Firebase exploitation techniques. He discovered the website updated application status by writing the entire application object, not just the necessary fields. Exploiting this, he successfully changed his application status to 'accepted'. He further found an information leakage vulnerability, allowing early access to review results, reviewer information, and comments. The vulnerability has since been patched.
Read more
Development
hackathon