will work on it #1
Description
i've already posted an issue on anthony's repo, so i will attach the same message.
tl:dr, thanks for your work, i will fix it
Dear Aaron Wijesinghe and Anthony He,
thank you for organizing these exploits concisely, as they will be handled with promptly. i'd only found your api calls and my deformed activities and questions when i had visitors for the charity come by and there lied my bad activities on the screen. i'm assuming the date on those calls which were around may was when you investigated further into the vulnerabilities, and this repo and aaron's seem to have been made very recently, so i hope these haven't been found for too long.
i want to thank you for ensuring the safety of user data and the smooth running of the website through these findings. i also wanted to thank you again for the prior security issue that you'd informed me of immediately. this site being my second iteration of the online transition of the math-a-thon, it was bound to have crippling issues which threatened the integrity of the competition
overall these issues are relatively unessential to the main purpose of the website, as they are found in the minigames, avatar, contact, viewing of the entire leaderboard, and arguably the creation of faulty accounts (of which were very clearly faulty haha)
fun fact: this isn't really publicly out there but the competition may or may not continue next year
nonetheless, i will work on it soon, and if you are open to it, you are welcome to suggest any changes or fixes or bugs or exploits that you may want to contribute (besides the already mentioned fixes with JWT and role verification).
again, thank you for the effort in making sure the site is safe.
best,
Jake Deng
Head Developer of the SITHS Math-a-Thon