Red Spectrum

Responsible Disclosure

When Curiosity Unveils an Oversight: My Experience with a Canadian Radio Contest

· 2 min read

A radio station's keyword contest API was returning every future codeword in the contest — all at once — to anyone who submitted a correct answer.

Just wanted to share a really interesting disclosure I made to a media organization in Canada a few weeks ago.

This media organization was running a radio contest where they would announce keywords over the radio at set times. Every few hours, you could visit a number of websites across Canada to submit your name along with the keyword, in an effort to win a prize of $1,000 weekly, with an overall grand prize of $100,000. With the upcoming release of the Nvidia RTX 5080, I needed all the money I could get — so I figured I would enter.

The contest required that the keyword be submitted before you could actually enter, so a verification check is performed against an API. As curious as I am, I decided to see how this was handled, and I was met with a very interesting surprise.

The API returns all valid keywords for the entirety of the contest.

How exciting.

With this in mind, I assumed they must be checking the codewords client-side. But I was wrong.

Interestingly, it would only leak all the keywords if you submitted a correct keyword. If you submitted something incorrect, you would just get a response back saying you failed. This must have been an oversight, or some kind of debug feature that was incorrectly left in production.

API response showing all contest keywords in the data field

The API response — valid codewords have been redacted.

Working in the field, responsible disclosure is important to me. So once I found this, I documented it and gave the general manager of the radio station a call. He was genuinely interested in the discovery and passed it on to the team running the contest.

I’m happy to say they patched it fairly quickly — the API calls no longer disclosed any of the keywords in the data field.

This is an interesting finding that probably went under the radar for a while. But it really does show the importance of pen testing your web applications — even small, short-lived ones — before they go into production. A contest API isn’t a banking portal, but the same careless mistake in a higher-stakes environment would be a much more serious problem.