As of 8/5/2025, Jake has patched all of the Math-a-thon exploits listed here.
All scripts will be deprecated and considered obsolete due to these changes.
This is a collection of exploits which were made for the SITHS Math-a-thon website.
Most of them can be fixed by adding role verification to the most secure APIs and by fixing "disabled" buttons to make sure they don't let the user commit undesirable actions.
The exploits documented below were not intentionally used to adversely affect the SITHS Math-a-thon website. We are sorry for any prior harm done to the website through these exploits, and we promise that no damage was intentional.
The exploits should solely be examined for educational purposes. DO NOT USE THESE EXPLOITS TO DAMAGE THE SITHS Math-a-thon WEBSITE IN ANY WAY, SHAPE, OR FORM.
For context, the "JWT update" enforced the use of JWT tokens on most Math-a-thon APIs. Prior to this update, anyone's user data (including passwords) could be changed with just their user ID. Anyone's user ID can be retrieved from the Leaderboard.
-
Mass-change Mines balances (mass_change_mines_balances.py)
- Using /api/retrieveLeaderbaord, you can loop through the UIDs and change everyone's balance through POST requests sent to /api/updateBalance.
- Reason for Deprecation: JWT Update
-
Change Mines balance based on UID (change_mines_balance.py, but with a different UID)
- Using someone's UID, a POST request can be sent to /api/updateBalance with the UID and balance.
- Reason for Deprecation: JWT update
-
Change someone's password (password_reset.py)
- Using someone's UID, a POST request could be sent to /api/changePassword.
- Reason for Deprecation: JWT update, underlying API endpoint was removed
-
Change avatar image (update_avatar.py)
- A profile image URL (likely already stored on the Math-a-thon's Supabase database) can be set as the profile picture.
- Reason for Deprecation: Never supported by the Math-a-thon, database is currently frozen as well
-
Change profile info (update_profile.py)
- A fake teacher, OSIS, and grade could have potentially been set through the Math-a-thon's Supabase URL.
- Reason for Deprecation: The database containing profile information is currently frozen
-
Upload an announcement (edit_activity_new.py)
- A POST request could be sent to /api/activity to update or create a new announcement, displaying anything with
- edit_activity.py and edit_activity_new.py were created to make the announcement creation process easier.
- Reason for Deprecation: The endpoint /api/activity has been taken down.
-
Sign-up with any email
- The button which lets a given user sign up is set to "disabled" when a non-nycstudents.net email is used. However, the sign-up button can be re-enabled by removing the "disabled" property, allowing for anyone to sign up for the Math-a-thon.
- Reason for Deprecation: More effective checks were implemented to prevent unauthorized emails from signing up
-
Change your own Mines balance (change_mines_balance.py)
- Self-explanatory. However, this minigame is bloatware and security was definitely not the first priority when making Mines...
- Reason for Deprecation: Mines minigame removed
-
Bet a negative amount on the Mines
- By removing the "disabled" property of the "Bet" button, you are able to bet a negative amount of money. Useless, but quite cool!
- Reason for Deprecation: Mines minigame removed
- Aaron Wijesinghe - Maintainer of this repository, created Python implementations for the documented exploits above
- Anthony He - Updated the Activity API script to add auto JWT token refresh, reverse-engineered Math-a-thon APIs to discover exploits
- Jake Deng - Created the SITHS Math-a-thon website (albeit with lots of exploits for us to find)