Internal API allows you to create help requests on any program

[benburrill]

It works even if you don't own them.

[kevinbarabash]

@Potato42 could you post this on https://hackerone.com/khanacademy along with repro steps?

[benburrill]

Ok I will. It's not really a vulnerability though, it's just that help requests act the same as questions.

[SpongeJr]

I didn't realize this would be a security issue or I would have mentioned it long ago.

Currently, you don't even need to get fancy with the API to open a Help Request on another program. It's only hidden by a CSS rule-- you can just unhide that tab with a line of code and let the UI make the API call and do the work. Same with "opening your own Tips & Thanks", and such. I haven't seen it misused, just one of those things students figure out and sometimes teach each other.

[kevinbarabash]

Hmm... can the owner of the scratchpad still make a help request if someone else has? The reason I ask is that a user can't have more than one help request open at a time.

@SpongeJr that's good to know as well. Thanks.

[benburrill]

Given the recent comments, I won't post to hackerone, at least not yet. I'll go test to see if the owner can make a help request.

[kevinbarabash]

@Potato42 sounds good

[benburrill]

You cannot create a help request (at least using the UI) if someone else has already made one. Still, not a vulnerability, and all you need to do is answer that help request to be able to post.

[benburrill]

@SpongeJr I still think this should still be fixed, although I agree it is not a vulnerability and cannot really be misused (apart from making it harder to post help requests), there should be a real difference between questions and help requests.

Help requests and questions must be at least somewhat separate on the server side anyway, it can't be that hard to make them actually different, right?

[matchu]

I believe this issue was resolved in yesterday's deploy, so I'm closing the issue, though please take a look to confirm :) Thanks, all!