Skip to content
/ iclicker-exploit-poc Public

A userscript that allows for the following things for an iClicker Session: spoof geolocation to instructor's, auto joins class, auto answer poll q's with random answers.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

1vke/iclicker-exploit-poc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.gitignore
.gitignore
 
 
iclicker_userScript.js
iclicker_userScript.js
 
 
readme.md
readme.md
 
 

Repository files navigation

iClicker exploit poc

This userscript is a example of how the iClicker web application can be exploited, allowing for the following things:

  • automatically joining a session
  • not being in the session location
  • having poll questions be answered automatically

DISCLAIMER

I am in no way responsible for however this is used. If you use it for nefarious reasons, that is completely your own fault and you will have to face the consequences.

This was built for educational purposes only.

Features

  • Location spoofing
    • Posts dummy geo location data to iClicker servers, in which they return with the session location, in latitude and longitude. Stores that session location in local storage for later so it doesn't have to double fetch every time, and it now will post that data to iClicker servers, allowing the user to join the session from another location.
  • Auto joining of sessions
    • Senses whenever a session has been started, and joins the session.
  • Auto answering of poll questions
    • Senses whenever a poll question has been started, waits a certain amount of time set in a constant variable, then chooses a random answer from the array of choices in the script.

Usage

This has only been tested on Google Chrome.

This script is supposed to be thrown into a userscript extension. My favorite is Violentmonkey, but any other popular one should work.

From there, there is not much setup besides if you would like to change the constants I have in the script (possible answers, delays).

How is this possible?

This script takes advantage of the Angular API, specifically the injector method. It allows for the altering of the existent functions and methods for certain services, allowing for the custom behavior described above.

How did I do this?

By reading through the minified code of the iClicker app. I searched until I found the services and the methods that I needed to mess with.

I was inspired to do this because I couldn't get into a session, when I was in the right location. Once I saw that the iClicker app shows you your session's location when you "aren't" in the right location, I got curious. Sure enough, iClicker just sends the exact location of the session. How nice of them :)

Issues

  • When joining a session, error message appears saying something about location
    • I believe that this is just a permission issue with iClicker, not a script issue. Make sure your browser is allowing the iClicker site to access your location. After allowing it, you might need to restart your browser.
  • Script fails to see that a session has been started, after a session has been started, then closed, then started in a short amount of time
    • This event will rarely happen, but it is still possible.
    • The necessary functionality has been added to prevent this from happening.

About

A userscript that allows for the following things for an iClicker Session: spoof geolocation to instructor's, auto joins class, auto answer poll q's with random answers.

Topics

javascript exploit userscript

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages