Scratch the title, I just want to tell a story. I have a techie friend, let’s call her Gwen. This incident was a few months ago. She has her IELTS exam scheduled for the day after tomorrow and she was unable to log in to the IDP Portal, she forgot her password. She tried to reset the password but she wasn’t successful. The test center and IDP both were clueless.

They said they couldn’t help and that she should’ve contacted them earlier. She came crying to me, not expecting me to solve her problem, just to rant as a friend but I wanted to give it a try.

The IDP reset password portal required a Passport Number, Date of Birth, and her full name. She received emails from IELTS mentioning her full name and I personally verified the passport number so I realised the issue was with her Date of Birth. That’s clue number 1.

There’s no way I would’ve tried breaking into the portal so I was coming up with ideas. Selenium based bruteforce with a rotating IP was my first thought but, I wanted to save that idea for the worst case. I asked to forward all mails she received from IELTS.

Nothing mentioned her Date of Birth. But I got lucky again. There was an appointment pdf that was password protected, and had the password in FIRSTNAME + DOB format. She wasn’t able to open that either. Confirmation to clue 1. Bingo. Clue Number 2.

So I downloaded John The Ripper and generated a hash for the password protected pdf. Made a python script that generated all valid dates from 1900 to that day when she asked. Gave the output as a password list to JtR and let the tool crack the hash. Turns out that you could open the PDF with her DoB as 1/1/1950.

Logged into her account, changed her DoB back to her actual one, and asked her to try a password that I created. It worked. I told her I hacked into the IDP “mainframe” and changed the password.

She’s kinda scared of me since then and I don’t have the heart to tell her what I actually did. So yes, title.

Edit: I think this post reached the wrong people 😔 You think I couldn’t have cracked open her account without her help? Guessing Gmail passwords ain’t that hard btw. Plenty of people use the same password for every website she’s one of those people, all I needed to do was fish out a pass from a breach. Her email was breached 4 times same pass every time. Idk why on Earth she decided to use diff pass for her IELTS account. Maybe because IELTS presets pass for you. My intent was to give an idea of how some systems could possibly be exploited, and that techies out of all people should be aware of the possibility of such things. These softwares don’t always have to be used maliciously but, they have serious potential to cause damage. You guys need to touch grass, I don’t think you understood how desperate she was or anyone else would be when offered a solution. If any of you find yourself in a position like this don’t do this. No matter how close the friend is. I’m out, peace 🕊️