Hacking Dropbox Space Race (NUS Style)

Disclaimer

This post is for educational purposes only. If you succeed in getting NUS banned from future Dropbox space races, you will singlehandedly incur the wrath of all current and future NUS students. Honestly, I couldn't care less.

In 2012, students from MIT hacked dropbox space race by mass creating mailing lists and signing these emails up with Dropbox to inflate the number of MIT email addresses. MIT was subsequently banned from participating in the 2015 space race. A detailed account of how they managed to pull it off can be found here.

All the steps in the blog post can be replicated except for one. As far as I know, NUS does not allow students to create mailing lists. So how can we generate unique NUS email addresses in bulk? The answer to that is the NUS FriendlyMail service.

Friendly Mail

There is no limit on the number of times you can change your email address and the change is also effected almost immediately. The short dropdown menu allows you to select either "_" or "." while the last input box allows you to select numbers from 01 to 99. Thus, every user can potentially generate a lower bound of ((6 * 2) * (4 + 3 + 2 + 1) * 100) =~ 12,000 unique email addresses, which is plenty for our purposes.

Automating the process is also trivial, authentication is done through basic auth. You will need to echo back a number of session IDs and handle errors such as email address already in use. Python should make short work of it.

Request:

1
2
3
GET /pea/applypea/pea.asp HTTP/1.1  
Host: exchange.nus.edu.sg  
Authorization: Basic redactedforprivacy  

Response (after a few 301s and 302s):

1
2
3
4
5
6
HTTP/1.1 200 OK  
Set-Cookie: ASPSESSIONIDQARHCSAT=redactedforprivacy; secure; path=/  
Cookie: __RequestVerificationToken=redactedforprivacy;   
ASPSESSIONIDQARHCSAT=redactedforprivacy;   
ASP.NET_SessionId=redactedforprivacy;   
ASPSESSIONIDQERCBRAS=redactedforprivacy  

Request:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
GET /fea/ HTTP/1.1  
Host: exchange.nus.edu.sg  
Authorization: Basic redactedforprivacy  
Cookie: __RequestVerificationToken=redactedforprivacy;   
ASPSESSIONIDQARHCSAT=redactedforprivacy;   
ASP.NET_SessionId=redactedforprivacy;   
ASPSESSIONIDQERCBRAS=redactedforprivacy  
Name1:  generate  
Seperator1: your  
Name2:  email  
Seperator2: address   
Name3:  and  
Seperator3: paste     
Name4:  the  
Seperator4: stuff     
Number: here  

Response:

1
HTTP/1.1 200 OK  

At the end of it, you will receive an email confirming the successful change. Don't bother intercepting the GET request and trying to change the field to provost@u.nus.edu or something similar, input validation is done on the server side.