How one line of JavaScript let me walk into an admin panel

There's this site — let's call it [Target], a social app for college students — and something about it made me want to poke at it. Before touching anything I messaged the owners and got permission to test. Then I started digging.

First I did the usual: watched the API requests the site was making, looked at how the backend answered, and started messing with IDs in the requests. And stuff worked — I could hit accounts that weren't mine. I could delete accounts, move the in-app currency around between different users, things I definitely shouldn't have been able to do. I reported all of it.

The owners weren't interested. Didn't care. Okay.

So instead of giving up I went the other direction — into the frontend. I opened the site's JavaScript files and just started reading. One file, then the next, line by line. Most of it was boring. Nothing. More nothing.

Then I opened admin.js.

And there it was — a line that basically said:

authenticatedAdmin = true

authenticatedAdmin = true

That was the jackpot. The whole admin panel was deciding whether you were an admin based on that flag in the browser. Not a real check on the server — just a value sitting in code the user completely controls. Which meant I could set it.

So I did. I opened the browser dev tools (F12), went to the Console, and just typed:

authenticatedAdmin = true

authenticatedAdmin = true

Because it was a plain global variable, the console let me overwrite it right there in the live page — no trick needed. Then I loaded the panel, and… I was in. No login, no password, nothing.

And the panel wasn't empty. It was sitting on 5,000+ student records .edu emails and real names. Actual people's data, behind a door that anyone could open by editing one value in their own browser.

I reported it. Got $200 :| .

Tested with permission. No real user data is shown in this writeup.