Udemy: Extremely high Course rating values could be set in order to make really high Average rating of the course. Negative values could be set to.

2015-07-03T20:54:19
ID H1:73808
Type hackerone
Reporter decay
Modified 2015-09-25T22:34:52

Description

Authenticated user can register for some course (paid or free). After registering and taking couple of lectures "Rate course" functional becomes active.

Malicious user can fill the rating form and submit it. By intercepting request to the server's API (by using intercepting proxy tool) and modify rating value he can set enormously large values as rating. After experimenting following restrictions was found: 1) 2147483647 <-- Maximum rating value 2) -2147483648 <-- Minimal rating value

Example of setting such rating could be found on the SCREEN: Set_rating_1.jpg

After some time that rating will affect correct calculation of course's average rating: PROF SCREEN: Result_of_wrong_rating_2.png

This issue could be used by attacker in order to trick user to buy bad quality content.

p.s. In order to remove wrong rating value i've already deleted my review. Here is PROF SCREEN: Delete_rating_3.jpg