MSU Lockout

Designed to disable any MSU account (student, professor, etc), requires no password and only email address. The only way for a victim to recover the account is call the IT desk or wait the lockout.

Comment

Inspiration

Originally wanted to create a bruteforce MSU tool, realized that you can disable any account if you send enough requests to enable a intrusion detection.

What it does

Using a frontend GUI, users can enter account where it will be sent to a DigitalOcean API where the attack will execute.

How we built it

NodeJS for the backend, used fastify for API. Regular HTML,CSS, and JS for frontend

Challenges we ran into

The attack requires 'state tokens' that need to be generated before you can execute the attack, creating a queue system with puppeteer browsers was the hardest challenge.

Accomplishments that we're proud of

Relatively easy exploit to build, yet can cause lots of damage. Also only needing the email address is very simple for users. The online GUI also makes it so anybody with a internet connection can use the product.

What's next for MSU Lockout

Work with MSU to patch exploit, or prevent people from locking out professors and other students as the exploit allows for any account to be disabled.

Built With

Share this project:

Updates