Swarnim Bandekar, a computer science student at VIT-AP in India, discovered a vulnerability in the system for generating outing passes whilst living in the college hostel.
By changing the unique leave ID, he was able to download a pass for himself, even if it hadn’t been approved, and access other students’ passes by guessing their IDs.
The bug, an example of insecure direct object reference (IDOR), also let him bypass the entire mentor and warden approval workflow.
Instead of taking advantage of the vulnerability, he reported it through responsible disclosure to the college IT team, who fixed the issue in just four days.
Bandekar urges other student ethical hackers to stay curious and ethical, using hacking as a force for good to protect, not a means of escaping supervision.