The Short Story (TL;DR)

I stumbled upon an unauthenticated API endpoint at https://example.edu/api/mahasiswa.

It happily served up student records β€” names, addresses, phone numbers, academic info β€” without asking for a single login or token.

All I had to do was change a number in the URL. πŸ’€

How I Found It

I was casually browsing (no login, no special tools β€” just Chrome) and tried:

text

<https://example.edu/api/mahasiswa?nim=1234>

The server immediately responded with:

json

{
  "status": "success",
  "data": {
    "nama_mahasiswa": "GUGUGAGA",
    "nim": "2020",
    "tanggal_lahir": "2002-05-12",
    "jenis_kelamin": "GAY",
    "email": "farah@example.edu",
    "nomor_handphone": "123123123",
    "agama": "Islam",
    "status_pernikahan": "",
    "status_mahasiswa": "Aktif",
    "nama_perguruan_tinggi": "University of Example",
    "tanggal_masuk_kuliah": "2020-08-15",
    "kode_perguruan_tinggi": "EX001",
    "status_perguruan_tinggi": "Swasta",
    "nama_program_studi": "Informatika",
    "jenjang": "S1",
    "semester": "8",
    "ipk": "3.78",
    "jumlah_sks": "144",
    "prov_kota_pt": "Jawa Timur - Malang",
    "alamat_domisili": "Jl. Kalimantan No. 12, Malang",
    "prov_kota_domisili": "Jawa Timur - Malang",
    "alamat_ktp": "Jl. Merdeka No. 45, Surabaya",
    "prov_kota_ktp": "Jawa Timur - Surabaya"
  }
}

No 401. No 403. Just… pure PII served on a silver platter.

The Real Problem

Then I changed nim=1234 to nim=1235, 1236, etc.

Every single change gave me another student's full data.

It felt like flipping through someone's private filing cabinet.

With a simple script, an attacker could:

  • Download thousands of student records in minutes
  • Collect names, addresses, phone numbers, and academic stats
  • Use the data for phishing, identity theft, or harassment

Why This Is Scary (aka Impact)

  • PII exposure β€” Full names, addresses, phone numbers, and academic records leaked
  • No authentication β€” Anyone on the internet can access it
  • Mass data harvesting β€” Automating NIM enumeration is trivial
  • Privacy violation β€” Students never consented to this
  • Phishing risk β€” Attackers could call or email students pretending to be the university

What Should Be Fixed

  • Add authentication β€” Even a simple API key or OAuth check would stop random access
  • Implement rate limiting β€” Prevent mass enumeration
  • Hide sensitive fields β€” Don't return phone/address unless absolutely necessary
  • Use pagination with access control β€” Don't allow NIM enumeration like that

Responsible Disclosure Note

I've anonymized the real target (example.edu).

The actual issue has been reported through proper channels.

Publishing this as an educational example so others don't make the same mistake.

Final Thoughts

This wasn't hacking.

This was typing ?nim= into a URL and getting lucky β€” or unlucky, depending on whose data was exposed.

If you build APIs, never trust the client.

And if you find something like this, report it.

But also, maybe write about it β€” because someone needs to hear this story.

Stay curious, but stay responsible. 🧒