← Back to Blog 
OPERATION TIMED ACCESS and THE PORTFOLIO ID BREACH: Bypassing Token Defenses to Build Complete Student Surveillance Profiles
November 23, 2025 at 1:52 PM
10 min read
#IDOR#SLMS#BRACU#CONNECT
EXECUTIVE SUMMARY
Short-lived JWT tokens provide zero protection when authorization checks are missing from your API endpoints. We completely circumvented the platform's primary defense mechanism to extract comprehensive academic intelligence on multiple students. The attached JSON dossier contains 6 complete student profiles, 24 courses across 3 semesters, and precise movement patterns extracted through systematic IDOR exploitation.
CRITICAL FINDINGS:
[✔] Token Lifespan Irrelevant: Session timeout provides false security when backend authorization checks are absent
[✔] Complete Student Reconstruction: Built detailed profiles including academic level, program focus, daily routines, and physical locations
[✔] Real-Time Tracking Capability: Classroom locations + schedules = predictable student movements
[✔] Attack Persistence: Simple re-authentication allows continuous enumeration with fresh token
ABSTRACT
During routine security reconnaissance of the BRAC University student portal infrastructure, I identified and weaponized a critical Insecure Direct Object Reference (IDOR) vulnerability that exposed the complete academic profiles of multiple students. This isn't just another bug report—this is a systemic failure in access control that reveals fundamental flaws in the institution's security posture.
The Breach in Numbers:
- student portfolios completely exposed
- courses across Computer Science, Finance, Business, and Pharmacy programs
- academic semesters of sensitive schedule data
- + faculty members and their teaching assignments
- + classroom locations with precise timing data
- Complete academic trajectories from course prerequisites to exam schedules
What I Extracted:
The vulnerability allowed me to reconstruct detailed student profiles by simply incrementing portfolio IDs in the API endpoint. Each student's data revealed:
-
Movement Patterns: Exact classroom locations, days, and times—perfect for physical tracking or interception.
-
Academic Identities: Course loads, program focus, year levels, and academic performance indicators.
-
Temporal Intelligence: Midterm and final exam schedules, creating opportunities for targeted social engineering during high-stress periods.
-
Social Graphs: Faculty-student relationships and potential classmate connections through shared courses.
Weaponization Potential:
This isn't theoretical. The exposed data enables:
- Targeted Phishing: "Your CSE423 exam has been rescheduled—click here to confirm"
- Physical Security Breaches: Knowing exactly when and where students will be vulnerable
- Academic Fraud: Course registration manipulation or grade appeals
- Identity Theft: Comprehensive profiles for financial aid fraud or impersonation
The Real Problem:
The most concerning aspect isn't the data exposure itself, but what it reveals about the security culture. The presence of proper authentication (JWT tokens) alongside complete absence of authorization checks demonstrates a fundamental misunderstanding of access control. This isn't a coding error—it's an architectural failure.
Why This Matters:
While the immediate fix is simple—add ownership validation—the broader implications are serious. If this basic vulnerability exists in a student scheduling API, what other systems suffer from similar flaws? Financial records? Grade databases? Personal information?
This breach serves as a canary in the coal mine for the institution's overall security maturity. The patterns suggest either insufficient security testing, lack of proper code review, or absence of security-focused development practices.
Bottom Line:
The data I've collected could easily be weaponized for real-world attacks against these students. The fact that I obtained it through simple parameter manipulation—without bypassing authentication or exploiting complex vulnerabilities—should be a wake-up call.
Security isn't about having the right headers or using proper tokens. It's about consistently enforcing the principle of least privilege across every endpoint. Right now, that principle is completely absent in this system.
Bellow I am attaching PoC: Proof Of concept; but it is edited findings
{ "security_incident_report": { "incident_id": "SEC-2025-001-IDOR", "date": "2025-11-22", "severity": "CRITICAL", "vulnerability": "Insecure Direct Object Reference (IDOR)", "endpoint": "/api/adv/v1/student-courses/schedules", "total_students_exposed": 6, "total_courses_exposed": 24, "academic_terms_exposed": 3 }, "exposed_students": [ { "portfolio_id": 48818, "academic_program": "Finance", "semester": "20253", "courses": [ { "section_id": 180917, "course_code": "FIN425", "course_name": null, "section_name": "01", "credits": 3, "faculty": "SSW", "room": "07A-06C", "course_type": "THEORY", "capacity": 33, "enrolled": 31, "schedule": { "class_days": ["MONDAY", "WEDNESDAY"], "class_times": ["11:00:00-12:20:00"], "exam_schedule": { "midterm": "2025-11-17 16:30:00-18:30:00", "final": "2026-01-12 16:30:00-18:30:00" } }, "prerequisites": "(FIN301)" }, { "section_id": 179603, "course_code": "CST309", "course_name": null, "section_name": "01", "credits": 3, "faculty": "SHJ", "room": "07B-18C", "course_type": "THEORY", "capacity": 30, "enrolled": 39, "schedule": { "class_days": ["SUNDAY", "TUESDAY"], "class_times": ["14:00:00-15:20:00"], "exam_schedule": { "midterm": "2025-11-17 14:00:00-16:00:00", "final": "2026-01-12 14:00:00-16:00:00" } }, "prerequisites": null }, { "section_id": 180847, "course_code": "BUS209", "course_name": null, "section_name": "05", "credits": 3, "faculty": "DMSB", "room": "07D-21C", "course_type": "THEORY", "capacity": 33, "enrolled": 34, "schedule": { "class_days": ["MONDAY", "WEDNESDAY"], "class_times": ["09:30:00-10:50:00"], "exam_schedule": { "midterm": "2025-11-22 08:30:00-10:30:00", "final": "2026-01-16 08:30:00-10:30:00" } }, "prerequisites": "(STA101 AND MAT101) OR (MAT101 AND STA201) OR (MAT110 AND STA201) OR (STA101 AND MAT110)" }, { "section_id": 180927, "course_code": "FIN441", "course_name": null, "section_name": "01", "credits": 3, "faculty": "SHLK", "room": "07A-03C", "course_type": "THEORY", "capacity": 33, "enrolled": 31, "schedule": { "class_days": ["SUNDAY", "TUESDAY"], "class_times": ["08:00:00-09:20:00"], "exam_schedule": { "midterm": "2025-11-19 08:30:00-10:30:00", "final": "2026-01-14 08:30:00-10:30:00" } }, "prerequisites": "(FIN301)" } ], "academic_analysis": { "course_load": 12, "program_focus": "Finance with Business foundation", "schedule_pattern": "Morning and afternoon classes, balanced workload", "year_level": "Advanced undergraduate (400-level courses)" } }, { "portfolio_id": 48819, "academic_program": "Computer Science", "semester": "20252", "courses": [ { "section_id": 177697, "course_code": "CSE423", "course_name": null, "section_name": "15", "credits": 3, "faculty": "ANT", "room": "09A-06C", "course_type": "THEORY", "capacity": 38, "enrolled": 38, "schedule": { "class_days": ["MONDAY", "WEDNESDAY"], "class_times": ["08:00:00-09:20:00"], "exam_schedule": { "midterm": "2025-07-27 16:30:00-18:30:00", "final": "2025-09-15 16:30:00-18:30:00" } }, "prerequisites": "(MAT216) OR (MAT212) OR (MAT203)" }, { "section_id": 177160, "course_code": "CSE422", "course_name": null, "section_name": "09", "credits": 3, "faculty": "KKS", "room": "09A-05C", "course_type": "THEORY", "capacity": 38, "enrolled": 37, "schedule": { "class_days": ["SUNDAY", "TUESDAY"], "class_times": ["15:30:00-16:50:00"], "exam_schedule": { "midterm": "2025-07-31 11:00:00-13:00:00", "final": "2025-09-19 11:00:00-13:00:00" } }, "prerequisites": "(CSE221)" }, { "section_id": 177297, "course_code": "CSE330", "course_name": null, "section_name": "08", "credits": 3, "faculty": "SADF", "room": "09H-35C", "course_type": "THEORY", "capacity": 39, "enrolled": 38, "schedule": { "class_days": ["SUNDAY", "TUESDAY"], "class_times": ["14:00:00-15:20:00"], "exam_schedule": { "midterm": "2025-07-30 11:00:00-13:00:00", "final": "2025-09-18 11:00:00-13:00:00" } }, "prerequisites": "(MAT216) OR (MAT212) OR (MAT203)" }, { "section_id": 177406, "course_code": "CSE260", "course_name": null, "section_name": "07", "credits": 3, "faculty": "MDF", "room": "09C-13C", "course_type": "THEORY", "capacity": 26, "enrolled": 24, "schedule": { "class_days": ["SUNDAY", "TUESDAY"], "class_times": ["11:00:00-12:20:00"], "exam_schedule": { "midterm": "2025-07-26 14:00:00-16:00:00", "final": "2025-09-14 14:00:00-16:00:00" } }, "prerequisites": "(CSE251)" } ], "lab_sections": [ { "section_id": 177698, "course_code": "CSE423L", "parent_course": "CSE423", "section_name": "15", "credits": 0, "faculty": "TBA", "room": "09F-27L", "course_type": "LAB", "schedule": { "class_days": ["SATURDAY"], "class_times": ["14:00:00-16:50:00"] } }, { "section_id": 177162, "course_code": "CSE422L", "parent_course": "CSE422", "section_name": "09", "credits": 0, "faculty": "TBA", "room": "09F-27L", "course_type": "LAB", "schedule": { "class_days": ["MONDAY"], "class_times": ["11:00:00-13:50:00"] } }, { "section_id": 177299, "course_code": "CSE330L", "parent_course": "CSE330", "section_name": "08", "credits": 0, "faculty": "TBA", "room": "10G-34L", "course_type": "LAB", "schedule": { "class_days": ["THURSDAY"], "class_times": ["08:00:00-10:50:00"] } }, { "section_id": 177407, "course_code": "CSE260L", "parent_course": "CSE260", "section_name": "07", "credits": 0, "faculty": "TBA", "room": "FT10-04L", "course_type": "LAB", "schedule": { "class_days": ["SATURDAY"], "class_times": ["11:00:00-13:50:00"] } } ], "academic_analysis": { "course_load": 12, "program_focus": "Core Computer Science with systems focus", "schedule_pattern": "Heavy lab schedule with weekend classes", "year_level": "3rd-4th year (300-400 level courses)", "specialization": "Systems and architecture focus" } }, { "portfolio_id": 48822, "academic_program": "Finance/Business", "semester": "20253", "courses": [ { "section_id": 181244, "course_code": "MSC321", "course_name": null, "section_name": "04", "credits": 3, "faculty": "SHV", "room": "07A-04C", "course_type": "THEORY", "capacity": 30, "enrolled": 30, "schedule": { "class_days": ["MONDAY", "WEDNESDAY"], "class_times": ["12:30:00-13:50:00"], "exam_schedule": { "midterm": "2025-11-17 16:30:00-18:30:00", "final": "2026-01-12 16:30:00-18:30:00" } }, "prerequisites": "(MSC221) OR (MSC142) OR (CSE110)" }, { "section_id": 181355, "course_code": "FIN422", "course_name": null, "section_name": "01", "credits": 3, "faculty": "AVK", "room": "MON 2:00PM: 09G-31T; WED 2:00PM: 07A-07C", "course_type": "THEORY", "capacity": 30, "enrolled": 30, "schedule": { "class_days": ["MONDAY", "WEDNESDAY"], "class_times": ["14:00:00-15:20:00"], "exam_schedule": { "midterm": "2025-11-22 08:30:00-10:30:00", "final": "2026-01-16 08:30:00-10:30:00" } }, "prerequisites": "(FIN301)" }, { "section_id": 180856, "course_code": "BUS221", "course_name": null, "section_name": "04", "credits": 3, "faculty": "SSD", "room": "07A-08C", "course_type": "THEORY", "capacity": 33, "enrolled": 33, "schedule": { "class_days": ["SUNDAY", "TUESDAY"], "class_times": ["09:30:00-10:50:00"], "exam_schedule": { "midterm": "2025-11-17 08:30:00-10:30:00", "final": "2026-01-12 08:30:00-10:30:00" } }, "prerequisites": "(MKT201 AND EMB101 AND FIN201 AND MGT213) OR (MKT201 AND MGT211 AND EMB101 AND FIN201) OR (MGT301 AND MKT201 AND EMB101 AND FIN301)" }, { "section_id": 180927, "course_code": "FIN441", "course_name": null, "section_name": "01", "credits": 3, "faculty": "SHLK", "room": "07A-03C", "course_type": "THEORY", "capacity": 33, "enrolled": 31, "schedule": { "class_days": ["SUNDAY", "TUESDAY"], "class_times": ["08:00:00-09:20:00"], "exam_schedule": { "midterm": "2025-11-19 08:30:00-10:30:00", "final": "2026-01-14 08:30:00-10:30:00" } }, "prerequisites": "(FIN301)" } ], "academic_analysis": { "course_load": 12, "program_focus": "Finance with Management Science", "schedule_pattern": "Mixed morning/afternoon schedule", "year_level": "Advanced undergraduate", "note": "Shares FIN441 course with student 48818" } }, { "portfolio_id": 48825, "academic_program": "Computer Science", "semester": "20251", "courses": [ { "section_id": 175217, "course_code": "CSE321", "course_name": null, "section_name": "17", "credits": 3, "faculty": "MNY", "room": "10B-13C", "course_type": "THEORY", "capacity": 38, "enrolled": 32, "schedule": { "class_days": ["MONDAY", "WEDNESDAY"], "class_times": ["12:30:00-13:50:00"], "exam_schedule": { "midterm": "2025-03-23 16:30:00-18:30:00", "final": "2025-05-23 16:30:00-18:30:00" } }, "prerequisites": "(CSE221)" }, { "section_id": 173421, "course_code": "MAT120", "course_name": null, "section_name": "12", "credits": 3, "faculty": "SKN", "room": "10H-40C", "course_type": "THEORY", "capacity": 43, "enrolled": 42, "schedule": { "class_days": ["MONDAY", "WEDNESDAY"], "class_times": ["15:30:00-16:50:00"], "exam_schedule": { "midterm": "2025-03-24 16:30:00-18:30:00", "final": "2025-05-24 16:30:00-18:30:00" } }, "prerequisites": "(MAT110)" }, { "section_id": 174598, "course_code": "CSE331", "course_name": null, "section_name": "10", "credits": 3, "faculty": "NNL", "room": "09A-03C", "course_type": "THEORY", "capacity": 40, "enrolled": 25, "schedule": { "class_days": ["MONDAY", "WEDNESDAY"], "class_times": ["09:30:00-10:50:00"], "exam_schedule": { "midterm": "2025-03-21 16:30:00-18:30:00", "final": "2025-05-21 16:30:00-18:30:00" } }, "prerequisites": "(CSE221)" } ], "lab_sections": [ { "section_id": 175218, "course_code": "CSE321L", "parent_course": "CSE321", "section_name": "17", "credits": 0, "faculty": "TBA", "room": "12D-26L", "course_type": "LAB", "schedule": { "class_days": ["SATURDAY"], "class_times": ["14:00:00-16:50:00"] } }, { "section_id": 173422, "course_code": "MAT120L", "parent_course": "MAT120", "section_name": "12", "credits": 0, "faculty": "TBA", "room": "10E-26L", "course_type": "LAB", "schedule": { "class_days": ["THURSDAY"], "class_times": ["15:30:00-16:50:00"] } } ], "academic_analysis": { "course_load": 9, "program_focus": "Computer Science with Mathematics", "schedule_pattern": "Mid-day classes with weekend lab", "year_level": "2nd-3rd year (200-300 level courses)", "note": "Lighter course load than other CS students" } }, { "portfolio_id": 48829, "academic_program": "Pharmacy", "semester": "20252", "courses": [ { "section_id": 178836, "course_code": "PHR401", "course_name": null, "section_name": "02", "credits": 3, "faculty": "NZK", "room": "07F-24C", "course_type": "THEORY", "capacity": 43, "enrolled": 42, "schedule": { "class_days": ["MONDAY", "WEDNESDAY"], "class_times": ["11:00:00-12:20:00"], "exam_schedule": { "midterm": "2025-10-06 09:30:00-10:50:00", "final": "2025-12-13 09:30:00-12:00:00" } }, "prerequisites": "(PHR311)" }, { "section_id": 178843, "course_code": "PHR405", "course_name": null, "section_name": "01", "credits": 3, "faculty": "DMR", "room": "08F-19C", "course_type": "THEORY", "capacity": 43, "enrolled": 44, "schedule": { "class_days": ["SUNDAY", "TUESDAY"], "class_times": ["11:00:00-12:20:00"], "exam_schedule": { "midterm": "2025-10-12 12:00:00-13:20:00", "final": "2025-12-10 13:30:00-16:00:00" } }, "prerequisites": "(PHR302)" }, { "section_id": 178810, "course_code": "PHB301", "course_name": null, "section_name": "02", "credits": 3, "faculty": "FZR", "room": "08F-19C", "course_type": "THEORY", "capacity": 43, "enrolled": 45, "schedule": { "class_days": ["MONDAY", "WEDNESDAY"], "class_times": ["15:30:00-16:50:00"], "exam_schedule": { "midterm": "2025-10-13 15:00:00-16:20:00", "final": "2025-12-15 13:30:00-16:00:00" } }, "prerequisites": "(PHB109)" }, { "section_id": 178814, "course_code": "PHB303", "course_name": null, "section_name": "02", "credits": 3, "faculty": "ZSH", "room": "07F-23C", "course_type": "THEORY", "capacity": 43, "enrolled": 43, "schedule": { "class_days": ["SUNDAY", "TUESDAY"], "class_times": ["14:00:00-15:20:00"], "exam_schedule": { "midterm": "2025-10-13 12:00:00-13:20:00", "final": "2025-12-21 13:30:00-16:00:00" } }, "prerequisites": null }, { "section_id": 178822, "course_code": "PHB307", "course_name": null, "section_name": "02", "credits": 3, "faculty": "MHI", "room": "07F-25C", "course_type": "THEORY", "capacity": 43, "enrolled": 42, "schedule": { "class_days": ["MONDAY", "WEDNESDAY"], "class_times": ["09:30:00-10:50:00"], "exam_schedule": { "midterm": "2025-10-09 12:00:00-13:20:00", "final": "2025-12-08 09:30:00-12:00:00" } }, "prerequisites": "(PHB204)" }, { "section_id": 178824, "course_code": "PHB308", "course_name": null, "section_name": "02", "credits": 3, "faculty": "TJF", "room": "07F-24C", "course_type": "THEORY", "capacity": 43, "enrolled": 43, "schedule": { "class_days": ["SUNDAY", "TUESDAY"], "class_times": ["08:00:00-09:20:00"], "exam_schedule": { "midterm": "2025-10-07 09:30:00-10:50:00", "final": "2025-12-15 09:30:00-12:00:00" } }, "prerequisites": "(PHB302)" } ], "lab_sections": [ { "section_id": 178914, "course_code": "PHB402L", "section_name": "01", "credits": 1, "faculty": "ZSH", "room": "11H-47L", "course_type": "LAB", "capacity": 26, "enrolled": 28, "schedule": { "class_days": ["SUNDAY"], "class_times": ["09:30:00-10:50:00"] }, "prerequisites": "(PHB310L)" }, { "section_id": 178904, "course_code": "PHB310L", "section_name": "01", "credits": 1, "faculty": "MEQ", "room": "11H-47L", "course_type": "LAB", "capacity": 26, "enrolled": 18, "schedule": { "class_days": ["TUESDAY"], "class_times": ["14:00:00-17:00:00"] }, "prerequisites": null } ], "academic_analysis": { "course_load": 20, "program_focus": "Professional Pharmacy program", "schedule_pattern": "Intensive full-time schedule with labs", "year_level": "3rd-4th year professional program", "specialization": "Pharmacy clinical and laboratory focus" } } ], "vulnerability_analysis": { "exposed_data_categories": [ "student_identification", "academic_programs", "course_schedules", "classroom_locations", "faculty_assignments", "exam_schedules", "enrollment_statistics", "prerequisite_information", "campus_movement_patterns" ], "privacy_risks": [ "student_tracking", "social_engineering", "identity_theft", "physical_security_breaches", "academic_impersonation" ], "compliance_violations": [ "FERPA", "GDPR", "institutional_data_policies" ] }, "recommended_actions": { "immediate": [ "implement_ownership_validation", "disable_vulnerable_endpoint", "enable_comprehensive_logging", "security_incident_response" ], "short_term": [ "security_audit_all_apis", "implement_rate_limiting", "add_parameter_validation", "deploy_waf_rules" ], "long_term": [ "api_security_framework", "developer_security_training", "regular_penetration_testing", "continuous_security_monitoring" ] } }
D3F1ANT
Security Researcher