hi.

so i was poking around on a school management platform used by some international schools in thailand, and i found something pretty wild. i could reset the password for any guardian or staff account with zero interaction from the victim. no phishing, no social engineering, nothing. well, almost nothing. i’ll get to that part. a weird response i started by registering a guardian account and doing the usual forgot-password flow to see how it worked. i sent a request to the forgot-password endpoint and was looking at the response when i noticed something a little off. ...