i’m a student who builds things and documents what i find when i poke around. i enjoy working on computer vision projects and exploring how things work under the hood.
feel free to reach out:
email: me@tinywifi.cc
discord: tinywifi.kt
github: tinywifi
so i was poking around on a school management platform used by some international schools in thailand, and i found something pretty wild. i could reset the password for any guardian or staff account with zero interaction from the victim. no phishing, no social engineering, nothing. well, almost nothing. iโll get to that part. a weird response i started by registering a guardian account and doing the usual forgot-password flow to see how it worked. i sent a request to the forgot-password endpoint and was looking at the response when i noticed something a little off. ...
| / | search |
| ? | this screen |
| Alt+H | go home |
| Alt+T | toggle theme |
| Alt+G | scroll to top |
| Esc | close |
