github.io/content/blog/duolingo-xp-exploit.en.md

38 lines
1.3 KiB
Markdown
Raw Normal View History

---
date: 2022-06-07T22:11:49Z
draft: false
aliases: []
categories: ['exploit']
series: ['hacking']
tags: ['bug']
chroma: false
toc: true
title: Duolingo Xp Exploit
description: I found a bug in the Duoling app for iOS that let's super/pro users instantly complete speaking only lessons.
---
{{< raw >}}
<style>video { float: right; }</style>
<video width='27%' autoplay controls loop muted>
<source src='/duolingo-xp-exploit.mp4' type='video/mp4'>
<b>Your browser does not support the video tag!</b>
</video>
{{< /raw >}}
It's possible for super/pro users to instantly complete speaking only lessons on iOS.
## How to reproduce
1. Make sure the Duoling app does *not* have microphone access.
2. Start a round of "Perfect Pronunciation" in the "Practice Hub".
3. Click continue and when prompted for microphone access, just click cancel.
4. Profit. (Instant perfect lesson!)
## Summary
2022-06-08 09:50:51 +00:00
The bug here seems to be that the first in app prompt for microphone access does nothing, except telling the end user to *please* give up mic perms.
Later we do actually get that iOS prompt on the first actual lesson.
The Duoling app skips all the speaking lessons as it usually would when denied microphone access.
But this of course is a big problem when all the lessons are speaking lessons.
The end result is an *almost* instant perfect lesson!~