Sorry for the clickbait!
Don’t get me wrong. I didn’t hack-hack them but more like “uh-oh, your app has issue and I’m just a curious nerd with Burp Suite and no weekend plans".
This was conducted for educational purposes only. I do not engage in any illegal hacking activities.
So yeah… I had the ability to reset or login to all accounts on two those two, and that’s why I’m merging both stories into one article.
Back in 2019, I was just a offsec guy with a laptop, Burp Suite, and a caffeine addiction. While others were out on dates or doing gym stuff, I was in my room, gently searching on web security vulnerbilities for fun. These days? I'm a peaceful boomer in cybersecurity terms.

This is the story of how I reported a very criticle vulnerabilities (aka white hacked?) his app and a very big company, Cisco Networking Academy. Yes. That Cisco.
Note: Hacking is not about tools but just with common sense and some tricks
Case 1: Login to any account with OTP Bruteforce
As I remembered that year, he was announcing bug bounty on his app. So I had a look. logging into App and I noticed in login endpoint /api/v2/login/check?token=132a898f73c82e&phone=
- OTP was only 4 digits. That’s 0000–9999.
- There was a rate limited feature (which was abandoned)
- You could guess as many times as you want
There is "attempt" parameter in response after submit but maybe it’s not used.

how it was exploited
- Requested OTP
/api/v2/token/otp?token=... - Sent all the possible OTPs — 0000 to 9999 — like I was playing a slot machine


- After several thousand of attempts, Ding-ding-ding! OTP matched, I could see the 200 response code. Got the OTP and was able to use it to access the account.

Case 2: Cisco Netacad – Change Anyone’s Password with IDOR
Cisco, oh Cisco. You were providing cybersecurity and network to the world, but forgot to security your own site. (sorry, it’s chatgpt text)
- On Netacad’s profile edit page, you could change your password (without entering the current one)

- And the form had a very helpful hidden field called userId

How I “Hacked” It
- Logged into my own Netacad account. Innocent.
- went to
group/landing/edit-user-profile - Captured the POST request when changing password.
_netacaduserprofile_WAR_netacaduserprofileportlet_userId=MY_ID - Changed it to someone else's ID. Boom! that user's password is changed.
Why It Worked
- No check to see if I actually owned that userId.
- No current password required.
- userId was visible in public profiles. Or guessable. Or bruteforceable. Basically, it was begging to be hacked.
read more about IDOR at https://portswigger.net/web-security/access-control/idor
Lessons Learned
- will write later.