FaceID in Manipal University

So, our college recently decided to upgrade its entry system. Instead of the usual ID cards, we’re now entering the futuristic world of FaceID. Pretty cool, right? Well, to make this work, they needed our lovely faces stored in their system. No big deal. They sent us a link where we were supposed to log in, show off our best angle, and upload our facial images.

The process seemed simple enough: you log in with your college email, get an OTP, enter it, and voilà—you’re in! At least, that’s how it was supposed to go. But, me being the curious person I am, I found out that things weren’t so straightforward.

The Not-So-Secure Security Flaw

Here’s where things get interesting. While I was going through the motions, I decided to take a peek under the hood. I opened up the browser developer tools (because why not?), and lo and behold, I stumbled upon a gaping security flaw.

1. API Keys Everywhere!

Now, the system was sending a GET request to generate that shiny OTP, but I noticed something: they were using an API key in the request headers. Okay, that’s normal… until I realized that this API key was as generic as it gets. It wasn’t tied to me specifically.

2. Wait, I Can Do What Now?

Here’s the fun part (and by fun, I mean concerning). I logged into my account, got the API key, and then swapped out my email address with someone else’s. And guess what? I was able to log in with their email without even needing the OTP. Yup, no email invasion needed—I could skip the whole “let me send you a code” step. It was like getting VIP access to someone else’s email ID party.

3. And About That Image…

Once I was in, I could access their account and—get this—upload my image in place of theirs. So imagine the implications: I could upload a picture of someone else, and the next time the system checked for FaceID, boom, the wrong person gets in.

Now, before anyone panics, I didn’t go around uploading images to everyone’s account (I’m not a villain, I promise!). But theoretically, someone with less noble intentions could. The API key was used heavily throughout the system, so it’s safe to say that anyone with this key could wreak havoc. Fun times, right?

So, What’s the Big Deal?

Well, in case it isn’t obvious, this flaw could let anyone:

• Log in to other accounts without needing to send an OTP.
• Upload a different person’s image, meaning the person in the image could waltz into campus without the system knowing they’re not the original student. A serious face-swap scenario.

The Takeaway

Here’s what we learned: Don’t reuse API keys everywhere! They should be unique and tied to specific actions. Otherwise, you might accidentally give people access to other accounts—like, well, what happened here.

So yeah, that’s the story of how I unintentionally found a pretty significant security issue. Fun times, but hopefully, a lesson learned in proper security practices!