How to hack the Breakthrough Prize (ft. Session Confusion)
The Breakthrough Junior Challenge is an annual, global science video competition for high-school students. It's run by Breakthrough Initiatives, the same organization that runs the Breakthrough Prize events.
In 2023, I discovered a critical vulnerability in the Breakthrough Challenge website. After over one year since it was patched, I am disclosing the bug for the sake of transparency. I believe this class of vulnerability, which I am introducing as 'Session Confusion', is often overlooked.
While waiting for a video call related to an unrelated incident, I got bored and clicked around at my bookmarks. I rediscovered the Breakthrough Junior Challenge website that I submitted my entry to the year before.
The Breakthrough Challenge website allows participants to register accounts, which are used to submit personal details and video entries.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25445944/Screenshot_2024_05_13_at_12.06.39_PM.png)
